Description

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.

Remediation

References

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r

Related Vulnerabilities

CVE-2021-22113 Vulnerability in maven package org.springframework.cloud:spring-cloud-netflix-zuul

CVE-2019-20365 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

CVE-2018-1000011 Vulnerability in maven package org.jvnet.hudson.plugins.findbugs:parent

CVE-2019-12421 Vulnerability in maven package org.apache.nifi:nifi-nar-bundles

CVE-2023-39410 Vulnerability in maven package org.apache.avro:avro

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Tags

Vendor Advisory