[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2018-1296: Apache Hadoop HDFS Permissive listXAttr Authorization
From:       Akira Ajisaka <aajisaka () apache ! org>
Date:       2019-01-24 4:34:21
Message-ID: CAP+3qq7v782VBmeatJTNV5L_wDk1dHsoWFNChAUUvsN7z2Tu1Q () mail ! gmail ! com
[Download RAW message or body]

CVE-2018-1296: Apache Hadoop HDFS Permissive listXAttr Authorization

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5

Description:
HDFS exposes extended attribute key/value pairs during listXAttrs,
verifying only path-level search access to the directory rather than
path-level read permission to the referent. This affects features that
store sensitive data in extended attributes, such as HDFS encryption secrets.

Mitigation:
If a file contains sensitive data in extended attributes, users and admins
need to change the permission to prevent others from listing the directory
which contains the file.

Credit:
This issue was discovered by Rushabh Shah.
[prev in list] [next in list] [prev in thread] [next in thread]