CVE-2017-7669

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 5 June 2017

Summary

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

Affected Version(s)

Apache Hadoop 2.8.0

Apache Hadoop 3.0.0-alpha1 and 3.0.0-alpha2

References

http://www.securityfocus.com/bid/98795

vdb-entryx_refsource_BID

https://mail-archives.apache.org/mod_mbox/hadoop-user/201...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 5, 2017
Vulnerability Reserved
Apr 11, 2017