Discussion:
a vulnerability of hadoop
(too old to reply)
h***@zte.com.cn
2018-11-13 03:10:45 UTC
Permalink
hello everyone,


I use 'black duck' to scan hadoop and found a vulnerability below:




BDSA-2018-1828Apache Hadoop is vulnerable to an arbitrary file write vulnerability via a directory traversal. An attacker could exploit this vulnerability by supplying the component with a maliciously crafted archive that, when unpacked, would cause an arbitrary file to be written to the file system.MEDIUM




I don't know what this means.


Can someone help me solve this?


Thank you very much.











胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn
张铎(Duo Zhang)
2018-11-13 03:44:30 UTC
Permalink
I think this is an known CVE (CVE-2018-8009) which should have already been
fixed in recent hadoop releases.

Which hadoop version do you use?

Thanks.

<***@zte.com.cn> 于2018幎11月13日呚二 䞊午11:11写道

>
> hello everyone,
>
> I use 'black duck' to scan hadoop and found a vulnerability below:
>
>
> BDSA-2018-1828 Apache Hadoop is vulnerable to an arbitrary file write
> vulnerability via a directory traversal. An attacker could exploit this
> vulnerability by supplying the component with a maliciously crafted archive
> that, when unpacked, would cause an arbitrary file to be written to the
> file system. MEDIUM
>
>
> I don't know what this means.
>
> Can someone help me solve this?
>
> Thank you very much.
>
>
> 胡晓䞜 huxiaodong
>
>
> 眑管及服务系统郚 Network Management & Service System Dept
>
>
>
> 南京垂玫荆花路68号䞭兎通讯二期
> MP: 17351011636
> E: ***@zte.com.cn
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-***@hadoop.apache.org
> For additional commands, e-mail: user-***@hadoop.apache.org
h***@zte.com.cn
2018-11-13 03:51:31 UTC
Permalink
Thank you for your reply.


The version of hadoop we use is 2.7.3



















胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn







原始邮件




发件人 <***@gmail.com>;
收件人胡晓䞜10180976;
抄送人 <***@hadoop.apache.org>;埐进10047864;顟懿呚00123903;䜕文鑫10087558;匠䞜涛10052804;
日 期 2018幎11月13日 11:45
äž» 题 Re: a vulnerability of hadoop








I think this is an known CVE (CVE-2018-8009) which should have already been fixed in recent hadoop releases.

Which hadoop version do you use?


Thanks.





<***@zte.com.cn> 于2018幎11月13日呚二 䞊午11:11写道







hello everyone,


I use 'black duck' to scan hadoop and found a vulnerability below:




BDSA-2018-1828Apache Hadoop is vulnerable to an arbitrary file write vulnerability via a directory traversal. An attacker could exploit this vulnerability by supplying the component with a maliciously crafted archive that, when unpacked, would cause an arbitrary file to be written to the file system.MEDIUM




I don't know what this means.


Can someone help me solve this?


Thank you very much.











胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn





---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@hadoop.apache.org
For additional commands, e-mail: user-***@hadoop.apache.org
Francisco de Freitas
2018-11-13 03:45:35 UTC
Permalink
Hi,

I believe it's related to this:
https://github.com/snyk/zip-slip-vulnerability

I wrote about it a while back here on the list but nobody answered.

The fix is on this commit:
https://github.com/apache/hadoop/commit/745f203e577bacb35b042206db94615141fa5e6f#diff-19cfa944d1bb9ce1daa46aa4223f3642

but it's only found on this branch:

~/git/hadoop @ trunk > git name-rev --tags --name-only 745f203
ozone-0.2.1-alpha-RC0~600

I'm not sure to what impact and to what extent this vulnerability has and
that might be the reason it hasn't been given much attention.

On Tue, 13 Nov 2018 at 11:11, <***@zte.com.cn> wrote:

>
> hello everyone,
>
> I use 'black duck' to scan hadoop and found a vulnerability below:
>
>
> BDSA-2018-1828 Apache Hadoop is vulnerable to an arbitrary file write
> vulnerability via a directory traversal. An attacker could exploit this
> vulnerability by supplying the component with a maliciously crafted archive
> that, when unpacked, would cause an arbitrary file to be written to the
> file system. MEDIUM
>
>
> I don't know what this means.
>
> Can someone help me solve this?
>
> Thank you very much.
>
>
> 胡晓䞜 huxiaodong
>
>
> 眑管及服务系统郚 Network Management & Service System Dept
>
>
>
> 南京垂玫荆花路68号䞭兎通讯二期
> MP: 17351011636
> E: ***@zte.com.cn
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-***@hadoop.apache.org
> For additional commands, e-mail: user-***@hadoop.apache.org
h***@zte.com.cn
2018-11-13 04:08:45 UTC
Permalink
Thank you very much!


Your reply is very useful to me.























胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn





原始邮件




发件人 <***@gmail.com>;
收件人胡晓䞜10180976;
抄送人 <***@hadoop.apache.org>;埐进10047864;顟懿呚00123903;䜕文鑫10087558;匠䞜涛10052804;
日 期 2018幎11月13日 11:54
äž» 题 Re: a vulnerability of hadoop










Hi,
I believe it's related to this: https://github.com/snyk/zip-slip-vulnerability

I wrote about it a while back here on the list but nobody answered.

The fix is on this commit: https://github.com/apache/hadoop/commit/745f203e577bacb35b042206db94615141fa5e6f#diff-19cfa944d1bb9ce1daa46aa4223f3642

but it's only found on this branch:

~/git/hadoop @ trunk > git name-rev --tags --name-only 745f203
ozone-0.2.1-alpha-RC0~600


I'm not sure to what impact and to what extent this vulnerability has and that might be the reason it hasn't been given much attention.







On Tue, 13 Nov 2018 at 11:11, <***@zte.com.cn> wrote:







hello everyone,


I use 'black duck' to scan hadoop and found a vulnerability below:




BDSA-2018-1828Apache Hadoop is vulnerable to an arbitrary file write vulnerability via a directory traversal. An attacker could exploit this vulnerability by supplying the component with a maliciously crafted archive that, when unpacked, would cause an arbitrary file to be written to the file system.MEDIUM




I don't know what this means.


Can someone help me solve this?


Thank you very much.











胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn





---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@hadoop.apache.org
For additional commands, e-mail: user-***@hadoop.apache.org
张铎(Duo Zhang)
2018-11-13 06:27:59 UTC
Permalink
Please upgrade to 2.7.7.

2.7.7 has the fix for this CVE.

See here:

https://github.com/apache/hadoop/commits/release-2.7.7-RC0

<***@zte.com.cn> 于2018幎11月13日呚二 䞋午12:09写道

>
> Thank you very much!
>
> Your reply is very useful to me.
>
>
>
>
>
> 胡晓䞜 huxiaodong
>
>
> 眑管及服务系统郚 Network Management & Service System Dept
>
>
>
> 南京垂玫荆花路68号䞭兎通讯二期
> MP: 17351011636
> E: ***@zte.com.cn
> 原始邮件
> *发件人* <***@gmail.com>;
> *收件人*胡晓䞜10180976;
> *抄送人* <***@hadoop.apache.org>;埐进10047864;顟懿呚00123903;䜕文鑫10087558;
> 匠䞜涛10052804;
> *日 期 *2018幎11月13日 11:54
> *äž» 题 **Re: a vulnerability of hadoop*
>
>
> Hi,
> I believe it's related to this:
> https://github.com/snyk/zip-slip-vulnerability
>
> I wrote about it a while back here on the list but nobody answered.
>
> The fix is on this commit:
> https://github.com/apache/hadoop/commit/745f203e577bacb35b042206db94615141fa5e6f#diff-19cfa944d1bb9ce1daa46aa4223f3642
>
> but it's only found on this branch:
>
> ~/git/hadoop @ trunk > git name-rev --tags --name-only 745f203
> ozone-0.2.1-alpha-RC0~600
>
> I'm not sure to what impact and to what extent this vulnerability has and
> that might be the reason it hasn't been given much attention.
>
> On Tue, 13 Nov 2018 at 11:11, <***@zte.com.cn> wrote:
>
>>
>> hello everyone,
>>
>> I use 'black duck' to scan hadoop and found a vulnerability below:
>>
>>
>> BDSA-2018-1828 Apache Hadoop is vulnerable to an arbitrary file write
>> vulnerability via a directory traversal. An attacker could exploit this
>> vulnerability by supplying the component with a maliciously crafted archive
>> that, when unpacked, would cause an arbitrary file to be written to the
>> file system. MEDIUM
>>
>>
>> I don't know what this means.
>>
>> Can someone help me solve this?
>>
>> Thank you very much.
>>
>>
>> 胡晓䞜 huxiaodong
>>
>>
>> 眑管及服务系统郚 Network Management & Service System Dept
>>
>>
>>
>> 南京垂玫荆花路68号䞭兎通讯二期
>> MP: 17351011636
>> E: ***@zte.com.cn
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-***@hadoop.apache.org
>> For additional commands, e-mail: user-***@hadoop.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-***@hadoop.apache.org
> For additional commands, e-mail: user-***@hadoop.apache.org
h***@zte.com.cn
2018-11-13 06:40:28 UTC
Permalink
Thanks!



















胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn







原始邮件




发件人 <***@gmail.com>;
收件人胡晓䞜10180976;
抄送人 <***@gmail.com>; <***@hadoop.apache.org>;埐进10047864;顟懿呚00123903;䜕文鑫10087558;匠䞜涛10052804;
日 期 2018幎11月13日 14:29
äž» 题 Re: Re: a vulnerability of hadoop








Please upgrade to 2.7.7.

2.7.7 has the fix for this CVE.


See here:


https://github.com/apache/hadoop/commits/release-2.7.7-RC0





<***@zte.com.cn> 于2018幎11月13日呚二 䞋午12:09写道







Thank you very much!


Your reply is very useful to me.























胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn





原始邮件




发件人 <***@gmail.com>;
收件人胡晓䞜10180976;
抄送人 <***@hadoop.apache.org>;埐进10047864;顟懿呚00123903;䜕文鑫10087558;匠䞜涛10052804;
日 期 2018幎11月13日 11:54
äž» 题 Re: a vulnerability of hadoop










Hi,
I believe it's related to this: https://github.com/snyk/zip-slip-vulnerability

I wrote about it a while back here on the list but nobody answered.

The fix is on this commit: https://github.com/apache/hadoop/commit/745f203e577bacb35b042206db94615141fa5e6f#diff-19cfa944d1bb9ce1daa46aa4223f3642

but it's only found on this branch:

~/git/hadoop @ trunk > git name-rev --tags --name-only 745f203
ozone-0.2.1-alpha-RC0~600


I'm not sure to what impact and to what extent this vulnerability has and that might be the reason it hasn't been given much attention.







On Tue, 13 Nov 2018 at 11:11, <***@zte.com.cn> wrote:







hello everyone,


I use 'black duck' to scan hadoop and found a vulnerability below:




BDSA-2018-1828Apache Hadoop is vulnerable to an arbitrary file write vulnerability via a directory traversal. An attacker could exploit this vulnerability by supplying the component with a maliciously crafted archive that, when unpacked, would cause an arbitrary file to be written to the file system.MEDIUM




I don't know what this means.


Can someone help me solve this?


Thank you very much.











胡晓䞜 huxiaodong






眑管及服务系统郚 Network Management & Service System Dept









南京垂玫荆花路68号䞭兎通讯二期
MP: 17351011636
E: ***@zte.com.cn





---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@hadoop.apache.org
For additional commands, e-mail: user-***@hadoop.apache.org










---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@hadoop.apache.org
For additional commands, e-mail: user-***@hadoop.apache.org
Continue reading on narkive:
Loading...