[jira] [Updated] (MAPREDUCE-7451) review TrackerDistributedCacheManager.checkPermissionOfOther

Fri, 18 Aug 2023 08:51:06 -0700 


     [ 
https://issues.apache.org/jira/browse/MAPREDUCE-7451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Loughran updated MAPREDUCE-7451:
--------------------------------------
    Description: TrackerDistributedCacheManager.checkPermissionOfOther() 
doesn't seem to work reliably  (was:     I think the method 
{{org.apache.hadoop.filecache.TrackerDistributedCacheManager.checkPermissionOfOther(FileSystem
 fs, Path path, FsAction action)}} may have an “Incorrect Permission Assignment 
for Critical Resource”vulnerability which is vulnerable in the newest version 
of hadoop. It shares similarities to a recent CVE disclosure _CVE-2017-3166_ in 
the same project _"apache/hadoop"_ project.

    The vulnerability is present in the class 
org.apache.hadoop.filecache.TrackerDistributedCacheManager of method 
checkPermissionOfOther(FileSystem fs, Path path, FsAction action), which is 
responsible for Checking whether the file system object (FileSystem) at the 
specified path has additional user permissions for the specified 
operation(action). {*}But t{*}{*}he check snippet is similar to the vulnerable 
snippet for CVE-2017-3166{*} and may have the same consequence as 
CVE-2017-3166:  {*}a file in an encryption zone with access permissions  will 
be stored in a world-readable location and can be freely shared with any 
application that requests the file to be localized{*}. Therefore, maybe you 
need to fix the vulnerability with much the same fix code as the CVE-2017-3166 
patch. )

> review TrackerDistributedCacheManager.checkPermissionOfOther
> ------------------------------------------------------------
>
>                 Key: MAPREDUCE-7451
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-7451
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>            Reporter: Yiheng Cao
>            Priority: Major
>
> TrackerDistributedCacheManager.checkPermissionOfOther() doesn't seem to work 
> reliably



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: mapreduce-issues-h...@hadoop.apache.org

Reply via email to