You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by larry mccay <lm...@apache.org> on 2017/05/26 18:26:44 UTC
[ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
All versions of Apache Knox prior to 0.12.0
An authenticated user may use a specially crafted URL to impersonate another
user while accessing WebHDFS through Apache Knox. This may result in
escalated
privileges and unauthorized data access. While this activity is audit logged
and can be easily associated with the authenticated user, this is still a
serious security issue.
Mitigation:
All users are recommended to upgrade to Apache Knox 0.12.0,
where validation, scrubbing and logging of such attempts has been added.
The Apache Knox 0.12.0 release can be downloaded from:
Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip
Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip
Re: [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
Posted by larry mccay <la...@gmail.com>.
Yes, Colm - I was thinking the same thing.
Need to add a separate page for this.
Thanks,
--larry
On Mon, May 29, 2017 at 5:43 AM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Sorry, sent that one too soon. Example:
>
> http://cxf.apache.org/security-advisories
>
> Colm.
>
> On Mon, May 29, 2017 at 10:42 AM, Colm O hEigeartaigh <coheigea@apache.org
> >
> wrote:
>
> > Hi Larry,
> >
> > We should get the CVEs uploaded to the website as well (apologies if it's
> > already done + I missed it). For example:
> >
> >
> > On Fri, May 26, 2017 at 7:26 PM, larry mccay <lm...@apache.org> wrote:
> >
> >> CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
> >>
> >> Severity: Important
> >>
> >> Vendor:
> >> The Apache Software Foundation
> >>
> >> Versions Affected:
> >> All versions of Apache Knox prior to 0.12.0
> >>
> >> An authenticated user may use a specially crafted URL to impersonate
> >> another
> >> user while accessing WebHDFS through Apache Knox. This may result in
> >> escalated
> >> privileges and unauthorized data access. While this activity is audit
> >> logged
> >> and can be easily associated with the authenticated user, this is still
> a
> >> serious security issue.
> >>
> >> Mitigation:
> >> All users are recommended to upgrade to Apache Knox 0.12.0,
> >> where validation, scrubbing and logging of such attempts has been
> added.
> >>
> >> The Apache Knox 0.12.0 release can be downloaded from:
> >> Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.
> >> 0-src.zip
> >> Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.
> 12.0.zip
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Sorry, sent that one too soon. Example:
http://cxf.apache.org/security-advisories
Colm.
On Mon, May 29, 2017 at 10:42 AM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Hi Larry,
>
> We should get the CVEs uploaded to the website as well (apologies if it's
> already done + I missed it). For example:
>
>
> On Fri, May 26, 2017 at 7:26 PM, larry mccay <lm...@apache.org> wrote:
>
>> CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
>>
>> Severity: Important
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> All versions of Apache Knox prior to 0.12.0
>>
>> An authenticated user may use a specially crafted URL to impersonate
>> another
>> user while accessing WebHDFS through Apache Knox. This may result in
>> escalated
>> privileges and unauthorized data access. While this activity is audit
>> logged
>> and can be easily associated with the authenticated user, this is still a
>> serious security issue.
>>
>> Mitigation:
>> All users are recommended to upgrade to Apache Knox 0.12.0,
>> where validation, scrubbing and logging of such attempts has been added.
>>
>> The Apache Knox 0.12.0 release can be downloaded from:
>> Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.
>> 0-src.zip
>> Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Larry,
We should get the CVEs uploaded to the website as well (apologies if it's
already done + I missed it). For example:
On Fri, May 26, 2017 at 7:26 PM, larry mccay <lm...@apache.org> wrote:
> CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> All versions of Apache Knox prior to 0.12.0
>
> An authenticated user may use a specially crafted URL to impersonate
> another
> user while accessing WebHDFS through Apache Knox. This may result in
> escalated
> privileges and unauthorized data access. While this activity is audit
> logged
> and can be easily associated with the authenticated user, this is still a
> serious security issue.
>
> Mitigation:
> All users are recommended to upgrade to Apache Knox 0.12.0,
> where validation, scrubbing and logging of such attempts has been added.
>
> The Apache Knox 0.12.0 release can be downloaded from:
> Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.
> 12.0-src.zip
> Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com