You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hadoop.apache.org by Laszlo Czol <cz...@gmail.com> on 2020/09/18 09:56:14 UTC

Hadoop Client version 3.2.1 vulnerability

I'm having a problem using hadoop-client version 3.2.1 in my dependency
tree. It has a vulnerable jar: org.apache.hadoop :
hadoop-mapreduce-client-core : 3.2.1 The code for the vulnerability is:
CVE-2017-3166, basically *if a file in an encryption zone with access
permissions that make it world readable is localized via YARN's
localization mechanism, that file will be stored in a world-readable
location and can be shared freely with any application that requests to
localize that file* The problem is that: if I'm updating for the 3.3.0
hadoop-client version the vulnerability remains and I wouldn't make a
downgrade for the version 2.8.1 which is the next non-vulnerable version.
Do you have any roadmap or any plan for this?

Thanks!
Kind regards,
Laszlo