Yiheng Cao created STORM-4002:
---------------------------------
Summary: Security Vulnerability - Action Required: “Incorrect
Permission Assignment for Critical Resource” vulnerability in some components
of org.apache.storm
Key: STORM-4002
URL: https://issues.apache.org/jira/browse/STORM-4002
Project: Apache Storm
Issue Type: Bug
Components: storm-kafka, storm-starter
Affects Versions: 1.2.2, 1.1.3, 1.2.1, 1.1.2, 1.2.0, 1.1.1, 1.1.0
Reporter: Yiheng Cao
I think the method
org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem
fs, Path path, FsAction action, Map<URI, FileStatus> statCache) may have an
“Incorrect Permission Assignment for Critical Resource”vulnerability which is
vulnerable in in some components of org.apache.storm. It shares similarities
to a recent CVE disclosure _CVE-2017-3166_ in the project _"apache/hadoop"_
project. The influencing components are listed below:
# org.apache.storm:storm-kafka-examples in the versions between 1.1.0 and
1.2.4.
# org.apache.storm:storm-starter in the versions of 1.1.2-1.1.3 and 1.2.0-1.2.2
The source vulnerability information is as follows:
!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ_bBS_0CMiL9kNUgnr95IJelNJAQJp906nnAonpFswrxMbSt1EVV1S2q6kq_ur-YE-1H49gOCjMGqFYtm5xBOS_EBOZci8ukIw2Hn8kM-9OIKVIxXrlhcRm6LA&disp=emb&realattid=ii_lmt56kbv0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.2&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-8wPNUdQ35WBKaadck2X1lP34blTQ_qiyhu5T7l0G8T4cboSCiFNgfxaCQZZsK-Pm3ebzj4JSWBs558OxWHJPM1uJqKlMvPMhpx9J0TiojhC85DNqeLu3dr2Q&disp=emb&realattid=ii_lmt6415i0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ9XERxykP1zaB9Codaz3lisQ9gKwLHXnEIHP4p4oUcINmdFEWTJAWeDMfayncBsWIBj_kc2cAKHx4c7InMtKL98nDb2Dnt3TpfGLQCcJhdFsSBhemVA14CI0rA&disp=emb&realattid=ii_loxzzieb0|width=1,height=1!
*Vulnerability Detail:*
*CVE Identifier:* CVE-2017-3166
{*}Description{*}: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3,
and 3.0.0-alpha1, if a file in an encryption zone with access permissions that
make it world readable is localized via YARN's localization mechanism, that
file will be stored in a world-readable location and can be shared freely with
any application that requests to localize that file.
*Reference:*[ |http://goog_608275719/]
[https://nvd.nist.gov/vuln/detail/CVE-2017-3166]
{*}Patch{*}:
[https://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29]
*Vulnerability Description:* The vulnerability is present in the class
org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager of method
checkPermissionOfOther(FileSystem fs, Path path, FsAction action, Map<URI,
FileStatus> statCache) , which is responsible for checking the permissions of
other files in the distributed cache.. {*}But t{*}{*}he check snippet is
similar to the vulnerable snippet for CVE-2017-3166{*} and may have the same
consequence as CVE-2017-3166: {*}a file in an encryption zone with access
permissions will be stored in a world-readable location and can be freely
shared with any application that requests the file to be localized{*}.
Therefore, maybe you need to fix the vulnerability with much the same fix code
as the CVE-2017-3166 patch.
Considering the potential risks it may have, I am willing to cooperate with
you to verify, address, and report the identified vulnerability promptly
through responsible means. If you require any further information or
assistance, please do not hesitate to reach out to me. Thank you and look
forward to hearing from you soon.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
