oss-sec mailing list archives
CVE-2018-11767: Apache Hadoop KMS ACL regression
From: Akira Ajisaka <aajisaka () apache org>
Date: Mon, 11 Mar 2019 15:49:26 +0900
CVE-2018-11767: Apache Hadoop KMS ACL regression Severity: Severe Vendor: The Apache Hadoop Software Foundation Versions affected: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6. Description: After the security fix for CVE-2017-15713, KMS has an access control regression, blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms such as LdapGroupsMapping, CompositeGroupsMapping, or NullGroupsMapping. Mitigation: Users should upgrade to Apache Hadoop 2.7.7, 2.8.5, or 2.9.2. Credit: This issue was discovered by Wei-Chiu Chuang.
Current thread:
- CVE-2018-11767: Apache Hadoop KMS ACL regression Akira Ajisaka (Mar 11)