Access Control Issues in Apache Hadoop KMS for Specific User Groups
CVE-2018-11767

7.4HIGH

Key Information:

Vendor

Apache
Status
Apache Hadoop
Vendor
CVE Published:
21 March 2019

What is CVE-2018-11767?

Apache Hadoop versions 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, and 2.7.5 to 2.7.6 exhibit a vulnerability in the KMS (Key Management Server) where the access control lists (ACLs) do not function as intended when non-default group mapping mechanisms are employed. This may lead to unauthorized users gaining access or legitimate users being inadvertently blocked. This situation underscores the importance of validating group mappings in Hadoop environments to maintain robust security postures.

Affected Version(s)

Apache Hadoop Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6

References

https://lists.apache.org/thread.html/5fb771f66946dd5c99a8...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/246cf223e7dc0c1dff90...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/5a44590b4eedc5e25f5b...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.