====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN057
_____________________________________________________________________

DATE                : 19/02/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Oozie versions prior to
                                           4.3.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/oozie-user/201802.mbox/%3cCABBupGWtC2vN-JzXWeuDaN-_bP6yzRJhK+DAfr=gSGLZJGbFCQ@mail.gmail.com%3e
_____________________________________________________________________

Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs.

Severity: Severe


Vendor:
The Apache Software Foundation


Versions Affected:
Oozie 3.1.3-incubating to Oozie 4.3.0
Oozie 5.0.0-beta1


Description:
Vulnerability allows a user of Oozie to expose private files on the
Oozie server process.  The malicious user can construct a workflow XML
file containing XML directives and configuration that reference
sensitive files on the Oozie server host.


Mitigation:
Users should upgrade to Apache Oozie 4.3.1 release from
http://oozie.apache.org/ .
Users should use 5.0.0-beta1 release only for testing purposes and wait
for the 5.0.0 GA which will have the fix.


Credit:
The issues were discovered by Daryn Sharp and Jason Lowe of Oath
(formerly Yahoo! Inc).


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================