Hortonworks Data Platform
Also available as:
PDF

Fixed Common Vulnerabilities and Exposures

This section covers all Common Vulnerabilities and Exposures (CVE) that are addressed in this release.

CVE-2015-7521

Summary: Zip Slip Vulnerability - Apache Hadoop distributed cache archive vulnerability

Severity: Critical

Vendor: Hortonworks

Versions Affected: HDP 3.0.0

Users Affected: Users who run Mapreduce jobs.

Impact: Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team.

Recommended Action: Upgrade to HDP 3.0.1+.

CVE-2018-12536

Summary: InvalidPathException message

Severity: Moderate

Vendor: Hortonworks

Versions Affected: HDP 3.0.0

Users Affected: Users who use the Spark user interfaces.

Impact: When an intentionally bad query arrives, the message included in the error response can reveal the full server path to the requesting system.

Recommended Action: Upgrade to HDP 3.0.1.

CVE-2018-11778

Summary: Apache Ranger Stack based buffer overflow

Severity: Critical

Vendor: Hortonworks

Versions Affected: HDP 2.3/2.4/2.5/2.6/3.0 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.x/1.1.0

Users Affected: Environments that use unix authentication service.

Impact: Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow.

Recommended Action: Upgrade to HDP 3.0.1+.