CVE-2014-3627
Improper Link Resolution Before File Access in Apache Hadoop
EPSS 1.6%
Description
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
How to fix CVE-2014-3627
To remediate CVE-2014-3627, upgrade the affected package to a fixed version below.
- Maven/org.apache.hadoop:hadoop-client—upgrade to 1.0.1 or later
Is CVE-2014-3627 being exploited?
Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.23.0, < 1.0.1