oss-sec mailing list archives
CVE-2018-1296: Apache Hadoop HDFS Permissive listXAttr Authorization
From: Akira Ajisaka <aajisaka () apache org>
Date: Thu, 24 Jan 2019 13:34:21 +0900
CVE-2018-1296: Apache Hadoop HDFS Permissive listXAttr Authorization Severity: Important Vendor: The Apache Software Foundation Versions Affected: 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5 Description: HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. This affects features that store sensitive data in extended attributes, such as HDFS encryption secrets. Mitigation: If a file contains sensitive data in extended attributes, users and admins need to change the permission to prevent others from listing the directory which contains the file. Credit: This issue was discovered by Rushabh Shah.
Current thread:
- CVE-2018-1296: Apache Hadoop HDFS Permissive listXAttr Authorization Akira Ajisaka (Jan 23)