Yiheng Cao created MAPREDUCE-7451:
-------------------------------------
Summary: Security Vulnerability - Action Required: “Incorrect
Permission Assignment for Critical Resource” vulnerability in the newest
version of hadoop
Key: MAPREDUCE-7451
URL: https://issues.apache.org/jira/browse/MAPREDUCE-7451
Project: Hadoop Map/Reduce
Issue Type: Bug
Reporter: Yiheng Cao
I think the method
{{org.apache.hadoop.filecache.TrackerDistributedCacheManager.checkPermissionOfOther(FileSystem
fs, Path path, FsAction action)}} may have an “Incorrect Permission Assignment
for Critical Resource”vulnerability which is vulnerable in the newest version
of hadoop. It shares similarities to a recent CVE disclosure _CVE-2017-3166_ in
the same project _"apache/hadoop"_ project.
The vulnerability is present in the class
org.apache.hadoop.filecache.TrackerDistributedCacheManager of method
checkPermissionOfOther(FileSystem fs, Path path, FsAction action), which is
responsible for Checking whether the file system object (FileSystem) at the
specified path has additional user permissions for the specified
operation(action). {*}But t{*}{*}he check snippet is similar to the vulnerable
snippet for CVE-2017-3166{*} and may have the same consequence as
CVE-2017-3166: {*}a file in an encryption zone with access permissions will
be stored in a world-readable location and can be freely shared with any
application that requests the file to be localized{*}. Therefore, maybe you
need to fix the vulnerability with much the same fix code as the CVE-2017-3166
patch.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: mapreduce-dev-h...@hadoop.apache.org
