Vulnerability Description
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Hadoop | 0.23.0 |
Related Weaknesses (CWE)
References
- http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97d
- http://secunia.com/advisories/60079
- http://secunia.com/advisories/60432
- http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97d
- http://secunia.com/advisories/60079
- http://secunia.com/advisories/60432
FAQ
What is CVE-2014-3627?
CVE-2014-3627 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to ...
How severe is CVE-2014-3627?
CVE-2014-3627 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3627?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Hadoop.