Table of Contents |
---|
Fixed in Ambari 2.1.2
...
CVE-2016-0707: File System Permissions aren't restrictive enough for the Agent/Command logs
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.1.1
Versions Fixed: 2.1.2
Description: Ambari agent's working folders (e.g. /var/lib/ambari-agent/data, /var/lib/ambari-agent/keys) do not have a restricted ACL. As the command log files may contain sensitive information, it will potentially allow access to un-authorized users.
Mitigation: Ambari users should use versions 2.1.2 or above to install new clusters. Version 2.1.2 onwards, ambari-agent work folders are associated with a restricted ACL. In addition, after upgrade to 2.1.2 or above, users should check and modify the ACLs of the existing folders as suggested.
- chmod -R 0600 /var/lib/ambari-agent/data
- chmod -R a+X /var/lib/ambari-agent/data
- chmod -R a+rx /var/lib/ambari-agent/data/tmp
- chmod 0600 /var/lib/ambari-agent/keys/*.key
CVE-2015-5210: Unvalidated Redirects and Forwards using targetURI parameter can enable phishing exploits
...