Main Vulnerability Database Vulnerabilities #VU38357

Information disclosure in Hadoop - CVE-2016-3086

Published: September 5, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38357

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-3086

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Hadoop

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

How to mitigate CVE-2016-3086

Install update from vendor's website.

Sources

http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-5a53-9051-5877-2b1abd88beb6%40apache.org%3E
http://www.securityfocus.com/bid/95335

Information disclosure in Hadoop - CVE-2016-3086

Detailed vulnerability description

How to mitigate CVE-2016-3086

Sources

Please verify you're human