Versions Compared

Old Version 12

changes.mady.by.user Yusaku Sako

Saved on

compared with

New Version 13

changes.mady.by.user Sumit Mohanty

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Fixed in Ambari 2.1.2

...

 

 

CVE-2016-0707: File System Permissions aren't restrictive enough for the Agent/Command logs

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0 to 2.1.1

Versions Fixed: 2.1.2

Description: Ambari agent's working folders (e.g. /var/lib/ambari-agent/data, /var/lib/ambari-agent/keys) do not have a restricted ACL. As the command log files may contain sensitive information, it will potentially allow access to un-authorized users. 

Mitigation: Ambari users should use versions 2.1.2 or above to install new clusters. Version 2.1.2 onwards, ambari-agent work folders are associated with a restricted ACL. In addition, after upgrade to 2.1.2 or above, users should check and modify the ACLs of the existing folders as suggested.

  • chmod -R 0600 /var/lib/ambari-agent/data
  • chmod -R a+X /var/lib/ambari-agent/data
  • chmod -R a+rx /var/lib/ambari-agent/data/tmp
  • chmod 0600 /var/lib/ambari-agent/keys/*.key

 

CVE-2015-5210: Unvalidated Redirects and Forwards using targetURI parameter can enable phishing exploits 

...