Red Hat Bugzilla – Bug 1308835
CVE-2015-1776 hadoop: disclosure of encrypted data in Hadoop MapReduce
Last modified: 2016-10-13 07:18:35 EDT
The encryption key/secret used to encrypt the intermediate data
generated by an Apache Hadoop MapReduce job is stored as a token in
the job’s credentials and are subsequently serialized to disk (
without any additional encryption/protection ) into the machine's
local dirs. A malicious user who has access to this credentials file
can load the tokens from the file, read the secret and then decrypt
the intermediate data which is also stored in machine local dirs.
Created hadoop tracking bugs for this issue:
Affects: fedora-all [bug 1308836]
This vulnerability apply to a feature added to Hadoop in 2.6.x versions, which are not available in Fedora, which currently packages 2.4.1. The workaround is to avoid using this feature. The vulnerability is addressed in 2.7.x.