The CVE-2017-15718 information leakage vulnerability was discovered in Apache Hadoop YARN NodeManager 2.7.3 and 2.7.4. This vulnerability is caused from the incomplete repair for CVE-2016-3086 and can be used by attackers to obtain the application password.
The YARN NodeManager can leak the password for credential store provider to YARN Applications. If you use the CredentialProvider feature to encrypt passwords used in NodeManager configurations, any Container launched by that NodeManager may gain access to the encryption password. The other passwords are not directly exposed. We recommend that you check the configurations.
See the following for more information about the vulnerability.
Apache Hadoop YARN NodeManager information leakage vulnerability
In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. The NodeManager can leak the password for credential store provider used by the NodeManager to YARN Applications.
If you use the CredentialProvider feature to encrypt a password, and apply the password to Nodemanager configuration, all containers started by Nodemanager may obtain the encrypted password. Other passwords are not affected.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
Hadoop 2.7.3 and 2.7.4
Check whether your Apache Hadoop version is 2.7.3 or 2.7.4.
How to fix or mitigate
Version 2.7.5 has been launched on the Apache official website. Apache Hadoop 2.7.3 and 2.7.4 users are advised to upgrade to 2.7.5 or higher versions as soon as possible.
If the software cannot be upgraded, set the access permission of the JCEKS file appropriately to restrict the access from unauthorized users.
Note: We recommend that you perform a test and use ECS snapshot to back up data before the upgrade.