====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN239
_____________________________________________________________________

DATE                : 19/07/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Ambari versions 2.5.x, 2.6.x
                                     prior to 2.7.0.

=====================================================================
https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities
_____________________________________________________________________

CVE-2018-8042: Passwords for Hadoop credential stores are visible in
Ambari Agent standard out

Severity: Important

Vendor: Hortonworks

Versions Affected: Ambari 2.5.x, Ambari 2.6.x

Versions Fixed: Ambari 2.7.0

Description:
Passwords for Hadoop credential stores are exposed in Ambari Agent
informational log messages when the credential store
feature is enabled for eligible services. For example, Hive and Oozie.

Mitigation:
Ambari 2.5.x installations should be upgraded to Ambari 2.7.0
Ambari 2.6.x installations should be upgraded to Ambari 2.7.0

Credit:
This issue was discovered by Hortonworks.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================