Bug 1170479 (CVE-2014-3627)

Summary: CVE-2014-3627 hadoop: file disclosure flaw
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, alonbl, bazulay, besser82, bmcclain, dblechte, ecohen, gklein, idith, iheim, jrusnack, lsurette, matt, michal.skrivanek, rbalakri, Rhev-m-bugs, rrati, weli, yeylon, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hadoop 2.5.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-08 03:52:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1170480    
Bug Blocks: 1170482    

Description Murray McAllister 2014-12-04 05:19:21 UTC 
The Hadoop 2.5.2 release fixes the following flaw that would allow arbitrary files to be exposed:

""
Vulnerability allows a cluster user to expose private files owned
by the user running the YARN NodeManager process.  The malicious cluster
user can create a public tar archive containing a symlink to a local file
on the node owned by the user running the YARN NodeManager process.  The
permissions of the local file will be changed to be world-readable when the
public archive is localized on the node.
""

References:

http://seclists.org/oss-sec/2014/q4/891
http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug@mail.gmail.com%3E
Comment 1 Murray McAllister 2014-12-04 05:20:05 UTC 
Created hadoop tracking bugs for this issue:

Affects: fedora-all [bug 1170480]
Comment 3 Kurt Seifried 2015-05-08 03:52:18 UTC 
Statement:

This issue may affect the versions of hadoop as shipped with Red Hat Enterprise Virtualization Manager. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.