CVE-2015-2263

Name of the Vulnerable Software and Affected Versions Cloudera Manager versions 4.x through 5.3.x before 5.3.3 Cloudera Manager versions 5.0.x through 5.0.5 Cloudera Manager versions 5.1.x through 5.1.4 Cloudera Manager versions 5.2.x through 5.2.4

Description The issue allows local users to obtain sensitive information by reading files in the configuration directory when starting YARN NodeManager, due to the use of global read permissions. This can be demonstrated by accessing files such as yarn.keytab or ssl-server.xml in /var/run/cloudera-scm-agent/process.

Recommendations For Cloudera Manager versions 4.x, update to version 5.3.3 or later to resolve the issue. For Cloudera Manager versions 5.0.x through 5.0.5, update to version 5.0.6 or later to resolve the issue. For Cloudera Manager versions 5.1.x through 5.1.4, update to version 5.1.5 or later to resolve the issue. For Cloudera Manager versions 5.2.x through 5.2.4, update to version 5.2.5 or later to resolve the issue.