[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2018-11767: Apache Hadoop KMS ACL regression
From:       Akira Ajisaka <aajisaka () apache ! org>
Date:       2019-03-11 6:49:26
Message-ID: CAP+3qq7SubiwXMZFGwetLJ11CH4VuQAuX0x7YSZ+1zaU36oMmA () mail ! gmail ! com
[Download RAW message or body]

CVE-2018-11767: Apache Hadoop KMS ACL regression

Severity: Severe

Vendor: The Apache Hadoop Software Foundation

Versions affected: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6.

Description:
After the security fix for CVE-2017-15713, KMS has an access control regression,
blocking users or granting access to users incorrectly, if the system
uses non-default groups mapping mechanisms such as LdapGroupsMapping,
CompositeGroupsMapping, or NullGroupsMapping.

Mitigation:
Users should upgrade to Apache Hadoop 2.7.7, 2.8.5, or 2.9.2.

Credit:
This issue was discovered by Wei-Chiu Chuang.
[prev in list] [next in list] [prev in thread] [next in thread]