Table of Contents |
---|
Fixed in Ambari 2.7.0
...
Anchor CVE-2018-8042 CVE-2018-8042
CVE-2018-8042: Passwords for Hadoop credential stores are visible in Ambari Agent standard out
Severity: Important
Vendor: Hortonworks
Versions Affected: Ambari 2.5.x, Ambari 2.6.x
Versions Fixed: Ambari 2.7.0
Description:
Passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.
Mitigation:
Ambari 2.5.x installations should be upgraded to Ambari 2.7.0
Ambari 2.6.x installations should be upgraded to Ambari 2.7.0
Credit:
This issue was discovered by Hortonworks.
Fixed in Ambari 2.6.2
...
Anchor CVE-2018-8003 CVE-2018-8003
...
Anchor CVE-2017-5642 CVE-2017-5642
CVE-2017-5642: Ambari Server artifacts do not have proper ACLs
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 2.4.0 to 2.4.2
Versions Fixed: 2.4.3, 2.5.0
Description: During installation, Ambari Server artifacts are not created with proper ACLs
Mitigation: Ambari users should upgrade to version 2.5.0 or above. For users of Version 2.4.0 through Version 2.4.2, either upgrade to version 2.4.3 or execute the script provided with Version 2.5.0 to correct the ACLs on Ambari server artifacts.
The proper ACL's are set for installed Ambari artifacts in Ambari versions 2.4.3, 2.5.0 and later. However, users of Version 2.4.0 through 2.4.2 may execute the script found at https://github.com/apache/ambari/blob/release-2.5.0/ambari-server/src/main/resources/scripts/check_ambari_permissions.py to fix the permissions on Ambari server artifacts on the Ambari server host.
Credit: Hortonworks
...
Anchor CVE-2017-5654 CVE-2017-5654
CVE-2017-5654: XML injection vulnerability in Hive View
...