Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
1.1.0, 1.1.1, 1.2.0, 1.1.2, 1.2.1, 1.1.3, 1.2.2
-
None
-
None
Description
I think the method org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem fs, Path path, FsAction action, Map<URI, FileStatus> statCache) may have an “Incorrect Permission Assignment for Critical Resource”vulnerability which is vulnerable in in some components of org.apache.storm. It shares similarities to a recent CVE disclosure CVE-2017-3166 in the project "apache/hadoop" project. The influencing components are listed below:
- org.apache.storm:storm-kafka-examples in the versions between 1.1.0 and 1.2.4.
- org.apache.storm:storm-starter in the versions of 1.1.2-1.1.3 and 1.2.0-1.2.2
The source vulnerability information is as follows:
Vulnerability Detail:
CVE Identifier: CVE-2017-3166
Description: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-3166
Patch: https://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29
Vulnerability Description: The vulnerability is present in the class org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager of method checkPermissionOfOther(FileSystem fs, Path path, FsAction action, Map<URI, FileStatus> statCache) , which is responsible for checking the permissions of other files in the distributed cache.. But the check snippet is similar to the vulnerable snippet for CVE-2017-3166 and may have the same consequence as CVE-2017-3166: a file in an encryption zone with access permissions will be stored in a world-readable location and can be freely shared with any application that requests the file to be localized. Therefore, maybe you need to fix the vulnerability with much the same fix code as the CVE-2017-3166 patch.
Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. Thank you and look forward to hearing from you soon.