Apache Hadoop DataNode Missed Validation Vulnerability

2017-04-26T00:00:00
ID 1337DAY-ID-27683
Type zdt
Reporter Sunil Yadav
Modified 2017-04-26T00:00:00

Description

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated. Apache Hadoop versions 2.6.x and earlier are affected.

                                        
                                            CVE-2017-3162: Apache Hadoop DataNode web UI vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions affected: Hadoop 2.6.x and earlier

Description:
HDFS clients interact with a servlet on the DataNode to browse the
HDFS namespace. The NameNode is provided as a query parameter that is
not validated.

Mitigation:
Users of Apache Hadoop 2.6.x and earlier should upgrade to Hadoop
2.7.0 or later.

Credit:
This issue was discovered by Sunil Yadav.

#  0day.today [2018-04-13]  #