HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated. Apache Hadoop versions 2.6.x and earlier are affected.
9b5a91772515b1e4ae857e6ca6ac791ebbdaa6bbd1627cc0c0adba28beade403-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2017-3162: Apache Hadoop DataNode web UI vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions affected: Hadoop 2.6.x and earlier
Description:
HDFS clients interact with a servlet on the DataNode to browse the
HDFS namespace. The NameNode is provided as a query parameter that is
not validated.
Mitigation:
Users of Apache Hadoop 2.6.x and earlier should upgrade to Hadoop
2.7.0 or later.
Credit:
This issue was discovered by Sunil Yadav.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJY//MFAAoJEPrQXCrFJpS4ZVYQAJ2BcBuaX/vV8brWXEsMH25L
cUCKbyhdbKaq5m3vcGF6S8H+RAzurZSoy/xxP2Xc9oKKtwcUV/TEphMmYK/xEfTU
iSMs84gV7rLPiCg20YwCSi0DbFjpfvFiLrX/K9YoIHD8ZoWOTxrGmf9JGaGWTsv8
gi7N8iCSja2adc88WoqdbdQg/cTPFdv2OKjQeo0Axg63Vt4UFxdrWpGL7oyXPuHD
df2mJR09jvuprzhyACDL2l4O3YO/Q8BMffHu5XVdnewYUS8K3lOEBsNkdbsJx5YG
8XXUYQEZ8RpnAADaeInI6g5e3qEqISrvtLxp/QXARUgpFYoPY2te+3hBQZADnBiq
JlXtM+UD7iY+bs0c+/AJNTn/JRLqiaRe745E/kkYJ8mjvzFEjko5Eaq1xTuzER42
euH5GDr3tkGXsoGPDrCv+ns9MMMZz9qmMqZOayKNN3oN3gZYg00w6Jm8f4BA5qWs
8tPfgaLGoGnEySoGPZdZPVdwFIOcS16+5Wr2JpvMCv8bTQOPR/H2yAFO4K1mmUEh
HB7T67lBCbNa1LrOFQJIWVRMAx9iR63UzCLpRfiTCKSHei2GFuGzat5gRXly3goF
iZqu2AugMFf93KW9x8koVOyoXYOYcIlhLNyRkBPkpgsYY2LZ96plNkNEPOSD+EGC
FlCf1icS+h2DK/F059f5
=TSqN
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed