Multiple vulnerabilities were found and fixed in Apache Hadoop. CVE-2017-3162: Apache Hadoop DataNode web UI vulnerability HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated. http://seclists.org/oss-sec/2017/q2/126 CVE-2017-3161: Apache Hadoop NameNode XSS vulnerability The HDFS web UI is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. http://seclists.org/oss-sec/2017/q2/127
Created hadoop tracking bugs for this issue: Affects: fedora-all [bug 1448374]
Another issue was found in Apache Hadoop. CVE-2017-7669: Apache Hadoop privilege escalation The LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root http://seclists.org/oss-sec/2017/q2/394
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.