Thanks for the note Yongjun! Does HADOOP-13434 <https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem?
On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhan...@apache.org> wrote: > Hi, > > Please see below the official announcement of a critical security > vulnerability that's discovered and subsequently fixed in Apache Hadoop > releases. > > Thanks and best regards, > > --Yongjun > > ---------- > > CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability > > Severity: Critical > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > Hadoop 2.6.x, 2.7.x > > > > Description: > > A remote user who can authenticate with the HDFS NameNode can possibly run > arbitrary commands as the hdfs user. > > > > Mitigation: > > 2.7.x users should upgrade to 2.7.3 > > 2.6.x users should upgrade to 2.6.5 > > > > Impact: > > A remote user who can authenticate with the HDFS NameNode can possibly run > arbitrary commands with the same privileges as HDFS service. > > > > Credit: > > This issue was discovered by Freddie Rice. > > ---------- > -- Zhe Zhang Apache Hadoop Committer http://zhe-thoughts.github.io/about/ | @oldcap