Table of Contents |
---|
Fixed in Ambari 2.4.2
...
CVE-2016-6807: Custom commands may be executed without authorization
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 2.4.0 to 2.4.1
Versions Fixed: 2.4.2
Description: Custom commands may be executed on the Ambari Agent hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process.
Mitigation: Ambari users should upgrade to version 2.4.2 or above.
Version 2.4.2 onwards properly enforces access based on required roles needed to execute custom commands.
Credit: Nitya Kumar Sharma from Microsoft
Fixed in Ambari 2.4.0
...
CVE-2014-3582: OpenSSL parameter injection vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.2.0 to 2.2.0
Versions Fixed: 2.4.0
Description: It may be possible to execute arbitrary system commands on the Ambari Sever host while generating SSL certificates for hosts in an Ambari cluster.
Mitigation: Ambari users should upgrade to version 2.4.0 or above.
Version 2.4.0 onwards properly enforces that agent-supplied host names are valid hostnames before attempting to execute OpenSSL commands to create SSL certificates. However, this feature may be disabled by setting security.agent.hostname.validate to "false" in the ambari.properties file. It is strongly recommended that the default value of security.agent.hostname.validate is not changed since it may enable this vulnerability.
Credit: David Jorm
Fixed in Ambari 2.2.1
...
CVE-2016-0731: Ambari File Browser View security vulnerability
...