CVE-2017-3166

Name of the Vulnerable Software and Affected Versions Apache Hadoop versions 2.6.1 through 2.6.5 Apache Hadoop versions 2.7.0 through 2.7.3 Apache Hadoop version 3.0.0-alpha1

Description The issue is related to incorrect file permission assignments in Apache Hadoop. This can allow a remote attacker to bypass file access restrictions. If a file in an encryption zone with world-readable access permissions is localized via YARN's localization mechanism, it will be stored in a world-readable location and can be shared with any application that requests to localize that file.

Recommendations For Apache Hadoop versions 2.6.1 through 2.6.5, consider restricting access to files in encryption zones to prevent them from being stored in world-readable locations. For Apache Hadoop versions 2.7.0 through 2.7.3, restrict access to files in encryption zones to prevent them from being stored in world-readable locations. For Apache Hadoop version 3.0.0-alpha1, restrict access to files in encryption zones to prevent them from being stored in world-readable locations.