This page lists security fixes that the Hadoop PMC felt warranted a CVE. If you think something is missing from this list or if you think the set of impacted or fixed versions is incomplete then please ask on the Security list.
CVEs are presented in most-recent-first order of announcement.
After the security fix for CVE-2017-15713, KMS has an access control regression, blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms such as LdapGroupsMapping, CompositeGroupsMapping, or NullGroupsMapping.
HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. This affects features that store sensitive data in extended attributes, such as HDFS encryption secrets.
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
Vulnerability allows a cluster user to publish a public archive that can affect other files owned by the user running the YARN NodeManager daemon. If the impacted files belong to another already localized, public archive on the node then code can be injected into the jobs of other cluster users using the public archive.
A user who can escalate to yarn user can possibly run arbitrary commands as root user.
Note: The fix for this vulnerability is incomplete in Apache Hadoop 2.7.4 to 2.7.6 (CVE-2018-11766).
In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. The YARN NodeManager can leak the password for credential store provider used by the NodeManager to YARN Applications.
If you use the CredentialProvider feature to encrypt passwords used in NodeManager configs, it may be possible for any Container launched by that NodeManager to gain access to the encryption password. The other passwords themselves are not directly exposed.
Vulnerability allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
In a cluster where the YARN user has been granted access to all HDFS encryption keys, if a file in an encryption zone with access permissions that make it world readable is localized via YARN’s localization mechanism, e.g. via the MapReduce distributed cache, that file will be stored in a world-readable location and shared freely with any application that requests to localize that file, no matter who the application owner is or whether that user should be allowed to access files from the target encryption zone.