Fixed in Ambari 2.2.1
CVE-2016-0731: Ambari File Browser View security vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.2.0
Versions Fixed: 2.2.1
Description: Ambari File Browser View allows an Ambari admin user to gain access to Ambari Server's local file system.
Mitigation: Ambari users should upgrade to versions 2.2.1 or above.
Fixed in Ambari 2.1.2
CVE-2016-0707: File System Permissions aren't restrictive enough for the Agent/Command logs
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.1.1
Versions Fixed: 2.1.2
Description: Ambari agent's working folders (e.g. /var/lib/ambari-agent/data, /var/lib/ambari-agent/keys) do not have a restricted ACL. As the command log files may contain sensitive information, it will potentially allow access to un-authorized users.
Mitigation: Ambari users should use versions 2.1.2 or above to install new clusters. Version 2.1.2 onwards, ambari-agent work folders are associated with a restricted ACL. In addition, after upgrade to 2.1.2 or above, users should check and modify the ACLs of the existing folders as suggested.
- chmod -R 0600 /var/lib/ambari-agent/data
- chmod -R a+X /var/lib/ambari-agent/data
- chmod -R a+rx /var/lib/ambari-agent/data/tmp
- chmod 0600 /var/lib/ambari-agent/keys/*.key
CVE-2015-5210: Unvalidated Redirects and Forwards using targetURI parameter can enable phishing exploits
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.1.1
Versions Fixed: 2.1.2
Description: A redirect to an untrusted server is possible via unvalidated input that specifies a redirect URL upon successful login.
Mitigation: Ambari users should upgrade to version 2.1.2 or above. Version 2.1.2 onwards redirect locations must be relative URLs.
Fixed in Ambari 2.1.1
CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges remotely
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0, 2.0.0, 2.0.1, 2.1.0
Versions Fixed: 2.0.2, 2.1.1
Description: An authenticated user can remotely escalate his/her permissions to administrative level. This can escalate their privileges for access through the API as well from the UI.
Mitigation: Ambari users should upgrade to version 2.1.1 or above (2.0.0 and 2.0.1 can be upgraded to 2.0.2).
In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password.
Fixed in Ambari 2.1.0
CVE-2015-1775: Apache Ambari Server Side Request Forgery vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.5.0 to 2.0.2
Versions Fixed: 2.1.0
Description: Ambari exposes a proxy endpoint through “api/v1/proxy” that can be used make REST calls to arbitrary host:port that are accessible from the Ambari server host. Ability to make these calls is limited to Ambari authenticated users only. In addition, an user need to be Ambari admin user to make the REST calls using METHODs other than GET (non-admin users can only call GET). This ability to call allows malicious users to perform port scans and/or access unsecured services visible to the Ambari Server host through the proxy endpoint. In addition Ambari provides an utility to handle such proxy calls that are used by View instances hosted by Ambari
Mitigation: Ambari users should upgrade to version 2.1.0 or above. Version 2.1.0 onwards the proxy end point (api/v1/proxy) has been disabled. In addition a configurable parameter (proxy.allowed.hostports) is introduced, in config file ambari.properties, to explicitly specify a list of host/port that can be proxied to when using the utility.
Credit: This issue was discovered by Mateusz Olejarka (SecuRing).
CVE-2015-3186: Apache Ambari XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.0.2
Versions Fixed: 2.1.0
Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML). This exposes opportunities for XSS.
Mitigation: Ambari users should upgrade to version 2.1.0 or above.
Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.
Credit: Hacker Y on the Elephant Scale team.