====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN156
_____________________________________________________________________

DATE                : 11/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Oozie versions prior to
                                          5.2.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/oozie-user/202103.mbox/%3cCAHydKRBC9LCFxd34nyakOSimxAVrAVEAwCUwndgb=pcEGNcz2A@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-35451: Oozie local privilege escalation


Description:

There is a race condition in OozieSharelibCLI which allows a malicious
attacker to replace the files in Oozie's sharelib during it's
creation.

A race condition in OozieSharelibCLI allows an attacker to replace the
contents of the sharelib.  This issue affects Apache Oozie versions
prior to 5.2.1.


Mitigation:

Validate the contents of the sharelib after uploading.


Credit:

The Apache Oozie PMC would like to thank Jonathan Leitschuh for
reporting the issue


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================