edit-icon download-icon

[Vulnerability notice] CVE-2017-15718: Information leakage vulnerability in Apache Hadoop YARN NodeManager

Last Updated: Apr 02, 2018

The CVE-2017-15718 information leakage vulnerability was discovered in Apache Hadoop YARN NodeManager 2.7.3 and 2.7.4. This vulnerability is caused from the incomplete repair for CVE-2016-3086 and can be used by attackers to obtain the application password.

The YARN NodeManager can leak the password for credential store provider to YARN Applications. If you use the CredentialProvider feature to encrypt passwords used in NodeManager configurations, any Container launched by that NodeManager may gain access to the encryption password. The other passwords are not directly exposed. We recommend that you check the configurations.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-15718

Vulnerability name

Apache Hadoop YARN NodeManager information leakage vulnerability

Vulnerability rating

High

Vulnerability description

In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. The NodeManager can leak the password for credential store provider used by the NodeManager to YARN Applications.

If you use the CredentialProvider feature to encrypt a password, and apply the password to Nodemanager configuration, all containers started by Nodemanager may obtain the encrypted password. Other passwords are not affected.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC status

Published

Affected scope

Hadoop 2.7.3 and 2.7.4

Vulnerability detection

Check whether your Apache Hadoop version is 2.7.3 or 2.7.4.

How to fix or mitigate

  • Version 2.7.5 has been launched on the Apache official website. Apache Hadoop 2.7.3 and 2.7.4 users are advised to upgrade to 2.7.5 or higher versions as soon as possible.

  • If the software cannot be upgraded, set the access permission of the JCEKS file appropriately to restrict the access from unauthorized users.

Note: We recommend that you perform a test and use ECS snapshot to back up data before the upgrade.

Reference

[1]. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718
[2]. https://www.securityfocus.com/archive/1/541716
[3]. http://seclists.org/bugtraq/2018/Jan/92
[4]. https://lists.apache.org/thread.html/773c93c2d8a6a52bbe97610c2b1c2ad205b970e1b8c04fb5b2fccad6@%3Cgeneral.hadoop.apache.org%3E

Thank you! We've received your feedback.