====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN027
_____________________________________________________________________

DATE                : 22/01/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Hadoop versions prior to
                               2.7.5, 2.8.3, 2.9.0, 3.0.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/hadoop-user/201801.mbox/%3cCAMqJVeOJ6D5qgreA6ZiN3u30iQx2_1s3h+dns-60voG6H1fxNQ@mail.gmail.com%3e
_____________________________________________________________________

CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability

Severity: Severe

Vendor: The Apache Software Foundation

Versions Affected:
  Hadoop 0.23.0 to 0.23.11
  Hadoop 2.0.0-alpha to 2.8.2
  Hadoop 3.0.0-alpha to 3.0.0-beta1

Users affected: Users running the MapReduce job history server daemon

Impact:  Vulnerability allows a cluster user to expose private files
owned by the user running the MapReduce job history server process.
The malicious user can construct a configuration file containing XML
directives that reference sensitive files on the MapReduce job history
server host.

Mitigation: Users should upgrade to Apache Hadoop 2.7.5, 2.8.3, 2.9.0,
or 3.0.0.

Credit: This issue was discovered by Man Yue Mo of lgtm.com

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================