Please feel free to disregard. On Thu, Sep 21, 2023, 8:43 AM Charles Givre <cgi...@gmail.com> wrote:
> HI there, > Thanks for sending. Could you please verify that this vulnerability > actually exists in current Drill? We are currently on Drill 1.21.1. I'm > also fairly certain that we are no longer using the Hadoop versions listed > below. > Thanks, > -- C > > > > > On Sep 21, 2023, at 9:20 AM, James Watt <crispy.james.w...@gmail.com> > wrote: > > > > Hi there, > > I think the method > `org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem > fs, Path path, FsAction action, Map<URI, FileStatus> statCache)` may have > an “Incorrect Permission Assignment for Critical Resource”vulnerability > which is vulnerable in org.apache.drill.exec_drill-jdbc-all:1.4.0. It > shares similarities to a recent CVE disclosure CVE-2017-3166 in the same > project "apache/hadoop" project. > > The source vulnerability information is as follows:<image.gif> > >> Vulnerability Detail: > >> CVE Identifier: CVE-2017-3166 > >> Description: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, > and 3.0.0-alpha1, if a file in an encryption zone with access permissions > that make it world readable is localized via YARN's localization mechanism, > that file will be stored in a world-readable location and can be shared > freely with any application that requests to localize that file. > >> Reference: <http://goog_608275719/> > https://nvd.nist.gov/vuln/detail/CVE-2017-3166 > >> Patch: > https://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29 > > > > Vulnerability Description: The vulnerability is present in the class > org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager of > method checkPermissionOfOther(FileSystem fs, Path path, FsAction action, > Map<URI, FileStatus> statCache) ,which is responsible for checking the > permissions of other files in the distributed cache. But the check snippet > is similar to the vulnerable snippet for CVE-2017-3166 and may have the > same consequence as CVE-2017-3166: a file in an encryption zone with access > permissions will be stored in a world-readable location and can be freely > shared with any application that requests the file to be localized. > Therefore, maybe you need to fix the vulnerability with much the same fix > code as the CVE-2017-3166 patch. > > Maybe the version of the hadoop your project depends on is > vulnerable, you can update it to a newer one. > > Considering the potential risks it may have, I am willing to > cooperate with you to verify, address, and report the identified > vulnerability promptly through responsible means. If you require any > further information or assistance, please do not hesitate to reach out to > me. Thank you and look forward to hearing from you soon. > > > > Best regards, > > Yiheng Cao > > > > > >
