Description

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.

Remediation

References

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r

Related Vulnerabilities

CVE-2021-36739 Vulnerability in maven package org.apache.portals.pluto.archetype:mvcbean-jsp-portlet-archetype

CVE-2019-1003050 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2021-41973 Vulnerability in maven package org.apache.mina:mina-http

CVE-2019-10328 Vulnerability in maven package org.jenkins-ci.plugins:workflow-remote-loader

CVE-2020-2295 Vulnerability in maven package org.jkva.maven-plugins:cascading-release-maven-plugin

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Tags

Vendor Advisory