CVE-2016-3086 — CRITICAL (9.8)

Vulnerability Description

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Hadoop	2.6.0

Related Weaknesses (CWE)

CWE-200

References

http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-Mailing ListMitigationVendor Advisory
http://www.securityfocus.com/bid/95335Third Party AdvisoryVDB Entry
http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-Mailing ListMitigationVendor Advisory
http://www.securityfocus.com/bid/95335Third Party AdvisoryVDB Entry

FAQ

What is CVE-2016-3086?

CVE-2016-3086 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

How severe is CVE-2016-3086?

CVE-2016-3086 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2016-3086?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Hadoop.