Table of Contents |
---|
Fixed in Ambari 2.7.4
...
Anchor CVE-2020-1936 CVE-2020-1936
CVE-2020-1936 :cross-site scripting vulnerability in Ambari Alerts
Severity: Medium
Vendor: Cloudera
Versions Affected: prior to Ambari 2.7.4
Versions Fixed: Ambari 2.7.4
Description:
Special characters should be encoded when displayed in Ambari Views. If special characters are not encoded, then scripts (<script>alert("xss!")</script>) may be executed due to user input. For example, issues may occur by placing special character in the Display Name field of an Ambari View.
Mitigation:
Upgraded to Ambari 2.7.4
Fixed in Ambari 2.7.0
...
Anchor CVE-2018-8042 CVE-2018-8042
CVE-2018-8042: Passwords for Hadoop credential stores are visible in Ambari Agent standard out
Severity: Important
Vendor: Hortonworks
Versions Affected: Ambari 2.5.x, Ambari 2.6.x
Versions Fixed: Ambari 2.7.0
Description:
Passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.
Mitigation:
Ambari 2.5.x installations should be upgraded to Ambari 2.7.0
Ambari 2.6.x installations should be upgraded to Ambari 2.7.0
Credit:
This issue was discovered by Hortonworks.
Fixed in Ambari 2.6.2
...
Anchor CVE-2018-8003 CVE-2018-8003
CVE-2018-8003: Path traversal in Ambari allows remote and unauthenticated access to files in the filesystem
...
Credit: Krzysztof Przybylski from STM Solutions
Fixed in Ambari 2.5.1
...
Anchor CVE-2017-5654 CVE-2017-5654
CVE-2017-5654: XML injection vulnerability in Hive View
...
Credit: New York Life Insurance Company
...
Anchor CVE-2017-5655 CVE-2017-5655
CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations
...
Credit: Pradeep Bhadani
Fixed in Ambari 2.5.0
...
Anchor CVE-2017-5642 CVE-2017-5642
CVE-2017-5642: Ambari Server artifacts do not have proper ACLs
...
Credit: Hortonworks
Fixed in Ambari 2.4.3
...
Anchor CVE-2017-5642 CVE-2017-5642
CVE-2017-5642: Ambari Server artifacts do not have proper ACLs
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 2.4.0 to 2.4.2
Versions Fixed: 2.4.3, 2.5.0
Description: During installation, Ambari Server artifacts are not created with proper ACLs
Mitigation: Ambari users should upgrade to version 2.5.0 or above. For users of Version 2.4.0 through Version 2.4.2, either upgrade to version 2.4.3 or execute the script provided with Version 2.5.0 to correct the ACLs on Ambari server artifacts.
The proper ACL's are set for installed Ambari artifacts in Ambari versions 2.4.3, 2.5.0 and later. However, users of Version 2.4.0 through 2.4.2 may execute the script found at https://github.com/apache/ambari/blob/release-2.5.0/ambari-server/src/main/resources/scripts/check_ambari_permissions.py to fix the permissions on Ambari server artifacts on the Ambari server host.
Credit: Hortonworks
...
Anchor CVE-2017-5654 CVE-2017-5654
CVE-2017-5654: XML injection vulnerability in Hive View
...
Credit: New York Life Insurance Company
...
Anchor CVE-2017-5655 CVE-2017-5655
CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations
...
Credit: Pradeep Bhadani
Fixed in Ambari 2.4.2
...
Anchor CVE-2016-6807 CVE-2016-6807
CVE-2016-6807: Custom commands may be executed without authorization
...
Credit: Nitya Kumar Sharma from Microsoft
Fixed in Ambari 2.4.0
...
Anchor CVE-2014-3582 CVE-2014-3582
CVE-2014-3582: OpenSSL parameter injection vulnerability
...
Mitigation: Ambari users should upgrade to version 2.4.0 or above.
Version 2.4.0 onwards properly enforces that agent-supplied host names are valid hostnames before attempting to execute OpenSSL commands to create SSL certificates. However, this feature may be disabled by setting security.agent.hostname.validate to "false" in the ambari.properties file. It is strongly recommended that the default value of security.agent.hostname.validate is not changed since it may enable this vulnerability.
Credit: David Jorm
...
Anchor CVE-2016-4976 CVE-2016-4976
CVE-2016-4976: Apache Ambari kadmin password visibility vulnerability
...
Credit: Greg S. Senia from New York Life Insurance Company.
Fixed in Ambari 2.2.1
...
Anchor CVE-2016-0731 CVE-2016-0731
CVE-2016-0731: Ambari File Browser View security vulnerability
...
Mitigation: Ambari users should upgrade to versions 2.2.1 or above.
Fixed in Ambari 2.1.2
...
Anchor CVE-2016-0707 CVE-2016-0707
CVE-2016-0707: File System Permissions aren't restrictive enough for the Agent/Command logs
...
- chmod -R 0600 /var/lib/ambari-agent/data
- chmod -R a+X /var/lib/ambari-agent/data
- chmod -R a+rx /var/lib/ambari-agent/data/tmp
- chmod 0600 /var/lib/ambari-agent/keys/*.key/keys/*.key
Anchor CVE-2015-5210 CVE-2015-5210
CVE-2015-5210: Unvalidated Redirects and Forwards using targetURI parameter can enable phishing exploits
...
Mitigation: Ambari users should upgrade to version 2.1.2 or above. Version 2.1.2 onwards redirect locations must be relative URLs.
Fixed in Ambari 2.1.1
...
Anchor CVE-2015-3270 CVE-2015-3270
CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges remotely
...
In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password.
Fixed in Ambari 2.1.0
...
Anchor CVE-2015-1775 CVE-2015-1775
CVE-2015-1775: Apache Ambari Server Side Request Forgery vulnerability
...
Credit: This issue was discovered by Mateusz Olejarka (SecuRing).
Anchor CVE-2015-3186 CVE-2015-3186
CVE-2015-3186: Apache Ambari XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.0.2
Versions Fixed: 2.1.0
Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML). This exposes opportunities for XSS.
Mitigation: Ambari users should upgrade to version 2.1.0 or above.
Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.
Credit: Hacker Y on the Elephant Scale team.