You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@hadoop.apache.org by Akira Ajisaka <aa...@apache.org> on 2019/03/11 06:49:26 UTC
CVE-2018-11767: Apache Hadoop KMS ACL regression
CVE-2018-11767: Apache Hadoop KMS ACL regression
Severity: Severe
Vendor: The Apache Hadoop Software Foundation
Versions affected: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6.
Description:
After the security fix for CVE-2017-15713, KMS has an access control regression,
blocking users or granting access to users incorrectly, if the system
uses non-default groups mapping mechanisms such as LdapGroupsMapping,
CompositeGroupsMapping, or NullGroupsMapping.
Mitigation:
Users should upgrade to Apache Hadoop 2.7.7, 2.8.5, or 2.9.2.
Credit:
This issue was discovered by Wei-Chiu Chuang.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@hadoop.apache.org
For additional commands, e-mail: general-help@hadoop.apache.org