Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-4002

Security Vulnerability - Action Required: “Incorrect Permission Assignment for Critical Resource” vulnerability in some components of org.apache.storm

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Won't Fix
    • 1.1.0, 1.1.1, 1.2.0, 1.1.2, 1.2.1, 1.1.3, 1.2.2
    • None
    • storm-kafka, storm-starter
    • None

    Description

       I think the method org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem fs, Path path, FsAction action, Map<URI, FileStatus> statCache) may have an “Incorrect Permission Assignment for Critical Resource”vulnerability which is vulnerable in in some components of  org.apache.storm. It shares similarities to a recent CVE disclosure CVE-2017-3166 in the project "apache/hadoop" project. The influencing components are listed below:

      1. org.apache.storm:storm-kafka-examples in the versions between 1.1.0 and 1.2.4.
      2. org.apache.storm:storm-starter in the versions of 1.1.2-1.1.3 and 1.2.0-1.2.2

      The source vulnerability information is as follows: 

      Vulnerability Detail:

      CVE Identifier: CVE-2017-3166

      Description: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

      Reference:  https://nvd.nist.gov/vuln/detail/CVE-2017-3166

      Patchhttps://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29
      Vulnerability Description: The vulnerability is present in the class  org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager  of method  checkPermissionOfOther(FileSystem fs, Path path, FsAction action, Map<URI, FileStatus> statCache)  , which is responsible for checking the permissions of other files in the distributed cache.. But the check snippet is similar to the vulnerable snippet for CVE-2017-3166 and may have the same consequence as CVE-2017-3166: a file in an encryption zone with access permissions  will be stored in a world-readable location and can be freely shared with any application that requests the file to be localized. Therefore, maybe you need to fix the vulnerability with much the same fix code as the CVE-2017-3166 patch. 
          Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. Thank you and look forward to hearing from you soon.
       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              crispy-fried-chicken Yiheng Cao
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: