This is an information disclosure vulnerability in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
Created hadoop tracking bugs for this issue:
Affects: fedora-all [bug 1405925]
This will be fixed by Hadoop 2.7.3 in F26, but I'm not sure much can really be done about F25 and earlier with Hadoop 2.4.1. Upstream does not have a fix which can be easily-backported and the current package maintainer doesn't have time to research a custom fix.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.