CVE-2014-0229: Three HDFS admin commands lack proper privilege checks
Vendor: The Apache Software Foundation
Versions Affected: Apache Hadoop 0.23 prior to 0.23.11, Apache Hadoop 2.x prior to 2.4.1 (fix included in HDP 2.1.3)
Impact: Three HDFS admin commands, refreshNamenodes, deleteBlockPool and shutdownDatanode, lack proper privilege checks in Apache Hadoop 0.23.x prior to 0.23.11, and in 2.x prior to 2.4.1. This allows arbitrary users to create data nodes unnecessarily, refresh its federated NameNode configuration in an untimely manner, delete inactive block pools, or shut itself down.
(The shutdownDatanode command was first introduced in 2.4.0; refreshNamenodes and deleteBlockPool were added in 0.23.0.)
Recommended Action: Hadoop 0.23.x users should upgrade to 0.23.11, Hadoop 2.x users should upgrade to HDP 2.1.3, which includes the fix for this vulnerability.
CVE-2014-0228: Apache Hive authorization vulnerability
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache Hive 0.13.0
Users Affected: Users who have enabled SQL standards-based authorization mode
Description: In SQL standards-based authorization mode, the URIs in Hive queries are expected to be authorized on the file system permissions. However, the directory used in import/export statements is not being authorized. This allows a user who knows the directory to which data has been exported to import that data into his table. This is possible if the user HiveServer2 runs with permissions for that directory and its contents.
Recommended Action: Users who use SQL standards-based authorization should upgrade to Hive 0.13.1.
Credit: This issue was discovered by Thejas Nair of Hortonworks
CVE-2013-6446: Apache Hadoop job history server vulnerability
Severity: Major
Vendor: The Apache Software Foundation
Versions Affected: Hadoop 0.23.1 to 0.23.9, Hadoop 2.0.0 to 2.2.0
Users Affected: Users who have enabled Hadoop's MapReduce security features
Impact: Vulnerability allows an unauthorized user to retrieve job details from the job history server
Recommended Action: Hadoop 0.23.x users should upgrade to 0.23.10, Hadoop 2.x users should upgrade to at least 2.3.0 (HDP 2.1.1 includes Hadoop 2.4.0).
Credit: This issue was discovered by Koji Noguchi of Yahoo