CVE-2014-0229: Three HDFS admin commands lack proper privilege checks
Vendor: The Apache Software Foundation
Versions Affected: Apache Hadoop 0.23 prior to 0.23.11, Apache 2.x prior to 2.4.1
Impact: Three HDFS admin commands, refreshNamenodes, deleteBlockPool and shutdownDatanode, lack proper privilege checks in Apache Hadoop 0.23.x prior to 0.23.11, and in 2.x prior to 2.4.1. This allows arbitrary users to create data nodes unnecessarily, refresh its federated NameNode configuration in an untimely manner, delete inactive block pools, or shut itself down.
(The shutdownDatanode command was first introduced in 2.4.0; refreshNamenodes and deleteBlockPool were added in 0.23.0.)
Recommended Action: Hadoop 0.23.x users should upgrade to 0.23.11, Hadoop 2.x users should upgrade to 2.4.1.
CVE-2013-6446: Apache Hadoop job history server vulnerability
Severity: Major
Vendor: The Apache Software Foundation
Versions Affected: Hadoop 0.23.1 to 0.23.9, Hadoop 2.0.0 to 2.2.0
Users Affected: Users who have enabled Hadoop's MapReduce security features
Impact: Vulnerability allows an unauthorized user to retrieve job details from the job history server
Recommended Action: Hadoop 0.23.x users should upgrade to 0.23.10, Hadoop 2.x users should upgrade to 2.3.0
Credit: This issue was discovered by Koji Noguchi of Yahoo
