Vulnerability Description
This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Hadoop | <= 2.6.3 |
Related Weaknesses (CWE)
References
- http://seclists.org/oss-sec/2016/q4/698Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/94950Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd
- http://seclists.org/oss-sec/2016/q4/698Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/94950Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd
FAQ
What is CVE-2016-5001?
CVE-2016-5001 is a vulnerability with a CVSS score of 5.5 (MEDIUM). This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a...
How severe is CVE-2016-5001?
CVE-2016-5001 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-5001?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Hadoop.