Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Hadoop YARN NodeManager Password Leak Vulnerability

🗓️ 25 Jan 2018 00:00:00Reported by VinayakumarType 
zdt
 zdt🔗 0day.today👁 46 Views

Apache Hadoop YARN NodeManager Password Leak CVE-2017-1571

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Common vulnerabilities addressed in Cloudera Data Platform 7.1.9 HF2
26 Mar 202503:55
ibm
IBM Security Bulletins		Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Apache Hadoop
17 May 202321:55
ibm
IBM Security Bulletins		Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities
22 Jun 202215:20
ibm
IBM Security Bulletins		Security Bulletin: IBM InfoSphere BigInsights 4.2 is affected by Open Source vulnerabilities in Hadoop (CVE-2016-3086, CVE-2016-5001) and Solr (CVE-2017-3163)
18 Jul 202023:17
ibm
BDU FSTEC		The vulnerability of the YARN NodeManager component in Apache Hadoop’s distributed development and execution platform allows a hacker to gain unauthorized access to arbitrary passwords.
7 Sep 202300:00
bdu_fstec
CNVD		Apache Hadoop Information Disclosure Vulnerability (CNVD-2017-00448)
12 Jan 201700:00
cnvd
CNVD		Apache Hadoop YARN NodeManager Password Disclosure Vulnerability
25 Jan 201800:00
cnvd
CVE		CVE-2016-3086
5 Sep 201713:00
cve
CVE		CVE-2017-15718
24 Jan 201814:00
cve
Cvelist		CVE-2016-3086
5 Sep 201713:00
cvelist
Rows per page
CVE-2017-15718: Apache Hadoop YARN NodeManager vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop 2.7.3, 2.7.4

Description:
In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete.
The YARN NodeManager can leak the password for credential store provider
used by the NodeManager to YARN Applications.

If you use the CredentialProvider feature to encrypt passwords used in
NodeManager configs, it may be possible for any Container launched
by that NodeManager to gain access to the encryption password.
The other passwords themselves are not directly exposed.

Mitigation:
2.7.3 and 2.7.4 users should upgrade to 2.7.5.
If you cannot upgrade to the latest version, set the permission of
the jceks file appropriately to restrict access from unauthorized users.

#  0day.today [2018-03-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jan 2018 00:00Current
9.3High risk
Vulners AI Score9.3
EPSS0.01594
apache hadoopyarnnodemanagerpassword leakvulnerabilitysecurity fixencryptioncredentialproviderupgradepermission restriction.
46