Page History

Fixed in Ambari 2.7.4

...

CVE-2020-1936 :cross-site scripting vulnerability in Ambari Alerts 

Severity: Medium 

Vendor: Cloudera

Versions Affected: prior to Ambari 2.7.4

Versions Fixed: Ambari 2.7.4

Description:

Special characters should be encoded when displayed in Ambari Views. If special characters are not encoded, then scripts (<script>alert("xss!")</script>) may be executed due to user input. For example, issues may occur by placing special character in the Display Name field of an Ambari View.

Mitigation:

Upgraded to Ambari 2.7.4

Fixed in Ambari 2.7.0

...

CVE-2018-8042: Passwords for Hadoop credential stores are visible in Ambari Agent standard out

Severity: Important

Vendor: Hortonworks

Versions Affected: Ambari 2.5.x, Ambari 2.6.x

Versions Fixed: Ambari 2.7.0

Description:
Passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.

Mitigation:
Ambari 2.5.x installations should be upgraded to Ambari 2.7.0
Ambari 2.6.x installations should be upgraded to Ambari 2.7.0

Credit:
This issue was discovered by Hortonworks.

Fixed in Ambari 2.6.2

...

CVE-2018-8003: Path traversal in Ambari allows remote and unauthenticated access to files in the filesystem

Severity: Important

Vendor: Hortonworks

Versions Affected: Ambari 1.4.0 through Ambari 2.6.1

Description: Ambari is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP request which provides read-only access to any file on the filesystem of the host the Ambari Server runs on that is accessible by the user the Ambari Server is running as. Direct network access to the Ambari Server is required to issue this request, and those Ambari Servers that are protected behind a firewall, or in a restricted network zone are at less risk of being affected by this issue.

Mitigation:
Ambari 2.5.x and earlier installations should be upgraded to Ambari 2.6.2
Ambari 2.6.0 installations should be upgraded to Ambari 2.6.2
Ambari 2.6.1 installations should be upgraded to Ambari 2.6.2

Credit:  Krzysztof Przybylski from STM Solutions

Fixed in Ambari 2.5.1

...

CVE-2017-5654: XML injection vulnerability in Hive View

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 2.4.0 through 2.4.2, and 2.5.0

Versions Fixed: 2.4.3, 2.5.1

Description: An authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Amari server executes. 
Access to files are limit to the set of files for which the user that executes the Ambari server has read access.

Mitigation: Ambari users should upgrade to version 2.4.3; or version 2.5.1 or above.

Credit: New York Life Insurance Company

...

CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 2.2.2 through 2.4.2; and 2.5.0

Versions Fixed: 2.4.3, 2.5.1

Description: Sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host.

Mitigation: Ambari 2.4.x (before 2.4.3) users should upgrade to version 2.4.3; Ambari 2.5.0 users should upgrade to Ambari 2.5.1 or above. 

Ambari 2.4.3 and Ambari 2.5.1 correct this issue by forcing the related temporary files to be accessible only to the user executing the Ambari server process. The related temporary files should be removed when no longer needed, as well.

Credit: Pradeep Bhadani

Fixed in Ambari 2.5.0

...

CVE-2017-5642: Ambari Server artifacts do not have proper ACLs

...

Versions Affected: 2.4.0 to 2.4.2

Versions Fixed: 2.4.3, 2.5.0

Description: During installation, Ambari Server artifacts are not created with proper ACLs

Mitigation: Ambari users should upgrade to version 2.5.0 or above; or for .  For users of Version 2.4.0 through Version 2.4.2, either upgrade to version 2.4.3 or execute the script provided with Version 2.5.0 to correct the ACLs on Ambari server artifacts.
The proper ACL's are set for installed Ambari artifacts in Ambari versions 2.4.3, 2.5.0 and later. However, users of Version 2.4.0 through 2.4.2 may execute the script found at https://github.com/apache/ambari/blob/release-2.5.0/ambari-server/src/main/resources/scripts/check_ambari_permissions.py to fix the permissions on Ambari server artifacts on the Ambari server host.

Credit: Hortonworks

Fixed in Ambari 2.4.3

...

CVE-2017-5642: Ambari Server artifacts do not have proper ACLs

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 2.4.0 to 2.4.2

Versions Fixed: 2.4.3, 2.5.0

Description: During installation, Ambari Server artifacts are not created with proper ACLs

Mitigation: Ambari users should upgrade to version 2.5.0 or above.  For users of Version 2.4.0 through Version 2.4.2, a either upgrade to version 2.4.3 or execute the script provided with Version 2.5.0 may be executed to correct the ACLs on Ambari server artifacts. 
The proper ACL's are set for installed Ambari artifacts in Ambari versions 2.4.3, 2.5.0 and later. However, users of Version 2.4.0 through 2.4.2 may execute the script found at at https://github.com/apache/ambari/blob/release-2.5.0/ambari-server/src/main/resources/scripts/check_ambari_permissions.py to  to fix the permissions on Ambari server artifacts on the Ambari server host.

Credit: Hortonworks

...

CVE-2017-5654: XML injection vulnerability in Hive View

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 2.4.0 through 2.4.2, and 2.5.0

Versions Fixed: 2.4.3, 2.5.1

Description: An authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Amari server executes.
Access to files are limit to the set of files for which the user that executes the Ambari server has read access.

Mitigation: Ambari users should upgrade to version 2.4.3; or version 2.5.1 or above.

Credit: New York Life Insurance Company

...

CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 2.2.2 through 2.4.2; and 2.5.0

Versions Fixed: 2.4.3, 2.5.1

Description: Sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host.

Mitigation: Ambari 2.4.x (before 2.4.3) users should upgrade to version 2.4.3; Ambari 2.5.0 users should upgrade to Ambari 2.5.1 or above. 

Ambari 2.4.3 and Ambari 2.5.1 correct this issue by forcing the related temporary files to be accessible only to the user executing the Ambari server process. The related temporary files should be removed when no longer needed, as well.

Credit: Pradeep Bhadani

Fixed in Ambari 2.4.2

...

CVE-2016-6807: Custom commands may be executed without authorization

...

Credit: Nitya Kumar Sharma from Microsoft

Fixed in Ambari 2.4.0

...

CVE-2014-3582: OpenSSL parameter injection vulnerability

...

Mitigation: Ambari users should upgrade to version 2.4.0 or above.
Version 2.4.0 onwards properly enforces that agent-supplied host names are valid hostnames before attempting to execute OpenSSL commands to create SSL certificates. However, this feature may be disabled by setting security.agent.hostname.validate to "false" in the ambari.properties file. It is strongly recommended that the default value of security.agent.hostname.validate is not changed since it may enable this vulnerability.

Credit: David Jorm 

...

CVE-2016-4976: Apache Ambari kadmin password visibility vulnerability

...

Credit: Greg S. Senia from New York Life Insurance Company.

Fixed in Ambari 2.2.1

...

CVE-2016-0731: Ambari File Browser View security vulnerability

...

Mitigation: Ambari users should upgrade to versions 2.2.1 or above.

Fixed in Ambari 2.1.2

...

CVE-2016-0707: File System Permissions aren't restrictive enough for the Agent/Command logs

...

• chmod -R 0600 /var/lib/ambari-agent/data
• chmod -R a+X /var/lib/ambari-agent/data
• chmod -R a+rx /var/lib/ambari-agent/data/tmp
• chmod 0600 /var/lib/ambari-agent/keys/*.key

CVE-2015-5210: Unvalidated Redirects and Forwards using targetURI parameter can enable phishing exploits 

...

Mitigation: Ambari users should upgrade to version 2.1.2 or above. Version 2.1.2 onwards redirect locations must be relative URLs.

Fixed in Ambari 2.1.1

...

CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges remotely

...

In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password. 

Fixed in Ambari 2.1.0

...

CVE-2015-1775: Apache Ambari Server Side Request Forgery vulnerability

...

Credit: This issue was discovered by  Mateusz Olejarka (SecuRing).