Page History

...

Credit:  Krzysztof Przybylski from STM Solutions

Fixed in Ambari 2.5.1

...

CVE-2017-5654: XML injection vulnerability in Hive View

...

Credit: New York Life Insurance Company

...

CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations

...

Credit: Pradeep Bhadani

Fixed in Ambari 2.5.0

...

CVE-2017-5642: Ambari Server artifacts do not have proper ACLs

...

Credit: Hortonworks

Fixed in Ambari 2.4.3

...

CVE-2017-5642: Ambari Server artifacts do not have proper ACLs

...

Mitigation: Ambari users should upgrade to version 2.5.0 or above.  For users of Version 2.4.0 through Version 2.4.2, either upgrade to version 2.4.3 or execute the script provided with Version 2.5.0 to correct the ACLs on Ambari server artifacts. 
The proper ACL's are set for installed Ambari artifacts in Ambari versions 2.4.3, 2.5.0 and later. However, users of Version 2.4.0 through 2.4.2 may execute the script found at https://github.com/apache/ambari/blob/release-2.5.0/ambari-server/src/main/resources/scripts/check_ambari_permissions.py to fix the permissions on Ambari server artifacts on the Ambari server host.

Credit: Hortonworks

...

CVE-2017-5654: XML injection vulnerability in Hive View

...

Credit: New York Life Insurance Company

...

CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations

...

Credit: Pradeep Bhadani

Fixed in Ambari 2.4.2

...

CVE-2016-6807: Custom commands may be executed without authorization

...

Credit: Nitya Kumar Sharma from Microsoft

Fixed in Ambari 2.4.0

...

CVE-2014-3582: OpenSSL parameter injection vulnerability

...

Mitigation: Ambari users should upgrade to version 2.4.0 or above.
Version 2.4.0 onwards properly enforces that agent-supplied host names are valid hostnames before attempting to execute OpenSSL commands to create SSL certificates. However, this feature may be disabled by setting security.agent.hostname.validate to "false" in the ambari.properties file. It is strongly recommended that the default value of security.agent.hostname.validate is not changed since it may enable this vulnerability.

Credit: David Jorm

...

CVE-2016-4976: Apache Ambari kadmin password visibility vulnerability

...

Credit: Greg S. Senia from New York Life Insurance Company.

Fixed in Ambari 2.2.1

...

CVE-2016-0731: Ambari File Browser View security vulnerability

...

Mitigation: Ambari users should upgrade to versions 2.2.1 or above.

Fixed in Ambari 2.1.2

...

CVE-2016-0707: File System Permissions aren't restrictive enough for the Agent/Command logs

...

• chmod -R 0600 /var/lib/ambari-agent/data
• chmod -R a+X /var/lib/ambari-agent/data
• chmod -R a+rx /var/lib/ambari-agent/data/tmp
• chmod 0600 /var/lib/ambari-agent/keys/*.key

CVE-2015-5210: Unvalidated Redirects and Forwards using targetURI parameter can enable phishing exploits 

...

Mitigation: Ambari users should upgrade to version 2.1.2 or above. Version 2.1.2 onwards redirect locations must be relative URLs.

Fixed in Ambari 2.1.1

...

CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges remotely

...

In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password. 

Fixed in Ambari 2.1.0

...

CVE-2015-1775: Apache Ambari Server Side Request Forgery vulnerability

...

Credit: This issue was discovered by  Mateusz Olejarka (SecuRing).