CVE-2018-1296

Name of the Vulnerable Software and Affected Versions Apache Hadoop versions 2.5.0 through 2.7.5 Apache Hadoop versions 2.8.0 through 2.8.3 Apache Hadoop version 2.9.0 Apache Hadoop versions 3.0.0-alpha1 through 3.0.0

Description The issue is related to errors in access control, allowing unauthorized access to protected information. This can be exploited by a remote attacker to gain access to sensitive data. The problem lies in HDFS exposing extended attribute key/value pairs during listXAttrs, where it verifies only path-level search access to the directory rather than path-level read permission to the referent.

Recommendations For Apache Hadoop versions 2.5.0 through 2.7.5, update to a version that includes the fix for this issue. For Apache Hadoop versions 2.8.0 through 2.8.3, update to a version that includes the fix for this issue. For Apache Hadoop version 2.9.0, update to a version that includes the fix for this issue. For Apache Hadoop versions 3.0.0-alpha1 through 3.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the HDFS listXAttrs function until a patch is available.