PT-2019-8794 · Apache · Apache Hadoop
Published
2019-03-18
·
Updated
2019-10-03
·
CVE-2018-11767
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Hadoop versions 2.7.5 through 2.7.6
Apache Hadoop versions 2.8.3 through 2.8.4
Apache Hadoop versions 2.9.0 through 2.9.1
Description
The issue concerns incorrect user access control in Apache Hadoop, specifically when non-default groups mapping mechanisms are used. This can lead to KMS blocking users or granting access to users incorrectly.
Recommendations
For Apache Hadoop versions 2.7.5 through 2.7.6, consider updating the groups mapping mechanisms to default settings to minimize the risk of incorrect access control.
For Apache Hadoop versions 2.8.3 through 2.8.4, review and adjust the non-default groups mapping mechanisms to ensure correct user access control.
For Apache Hadoop versions 2.9.0 through 2.9.1, reconfigure the KMS to use default groups mapping mechanisms until a proper fix is applied.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Hadoop