Fixed Common Vulnerabilities and Exposures
This section covers all Common Vulnerabilities and Exposures (CVE) that are addressed
            in this release.
| Summary: Use of insecure cookies | 
| Severity: Normal | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: 0.6.0 or 0.7.0 versions of
                Apache Atlas | 
| Users affected: All users of Apache Atlas
                server | 
| Impact: Atlas uses cookies that could be
                accessible to client-side scripts. | 
| Fix detail: Atlas was updated to make the
                cookies unavailable to client-side scripts. | 
| Recommended Action: Users should upgrade to
                Apache Atlas 0.7.1-incubating or later version. | 
| Summary: Persistent XSS vulnerability | 
| Severity: Normal | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: 0.6.0 or 0.7.0 versions of
                Apache Atlas | 
| Users affected: All users of Apache Atlas
                server | 
| Impact: Atlas was found vulnerable to a Stored
                Cross-Site Scripting in the edit-tag functionality | 
| Fix detail: Atlas was updated to sanitize the
                user input. | 
| Recommended Action: Users should upgrade to
                Apache Atlas 0.7.1-incubating or later version. | 
| Summary: DOM XSS threat | 
| Severity: Normal | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: 0.6.0 or 0.7.0 versions of
                Apache Atlas | 
| Users affected: All users of Apache Atlas
                server | 
| Impact: Atlas was found vulnerable to a DOM XSS
                in the edit-tag functionality. | 
| Fix detail: Atlas was updated to sanitize the
                query parameters. | 
| Recommended Action: Users should upgrade to
                Apache Atlas 0.7.1-incubating or later version. | 
| Summary: Reflected XSS vulnerability | 
| Severity: Normal | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: 0.6.0 or 0.7.0 versions of
                Apache Atlas | 
| Users affected: All users of Apache Atlas
                server | 
| Impact: Atlas was found vulnerable to a
                Reflected XSS in the search functionality. | 
| Fix detail: Atlas was updated to sanitize the
                query parameters. | 
| Recommended Action: Users should upgrade to
                Apache Atlas 0.7.1-incubating or later version. | 
| Summary: Stack trace in error response | 
| Severity: Normal | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: 0.6.0 or 0.7.0 versions of
                Apache Atlas | 
| Users affected: All users of Apache Atlas
                server | 
| Impact: Error response from Atlas server
                included stack trace, exposing excessive information. | 
| Fix detail: Atlas was updated to not include
                stack trace in error responses. | 
| Recommended Action: Users should upgrade to
                Apache Atlas 0.7.1-incubating or later version. | 
| Summary: XFS - cross frame scripting
                vulnerability | 
| Severity: Normal | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: 0.6.0 or 0.7.0 versions of
                Apache Atlas | 
| Users affected: All users of Apache Atlas
                server | 
| Impact: Atlas was found vulnerable to a cross
                frame scripting. | 
| Fix detail: Atlas was updated to use
                appropriate headers to prevent this vulnerability. | 
| Recommended Action: Users should upgrade to
                Apache Atlas 0.7.1-incubating or later version. | 
| Summary:Apache Knox Impersonation Issue for
                WebHDFS | 
| Severity: Important | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: All versions of Apache Knox
                prior to 0.12.0 | 
| Users affected: Users who use WebHDFS through
                Apache Knox. | 
| Impact: An authenticated user may use a
                specially crafted URL to impersonate another user while accessing WebHDFS through
                Apache Knox. This may result in escalated privileges and unauthorized data access.
                While this activity is audit logged and can be easily associated with the
                authenticated user, this is still a serious security issue. | 
| Recommended Action: Upgrade to 2.6.x | 
| Mitigation: All users are recommended to
                upgrade to Apache Knox 0.12.0, where validation, scrubbing and logging of such
                attempts has been added. The Apache Knox 0.12.0 release can be downloaded from: | 
| Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip | 
| Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip | 
| Summary: Apache Ranger policy evaluation
                ignores characters after ‘*’ wildcard character | 
| Severity: Critical | 
| Vendor: Hortonworks | 
| Versions Affected: HDP 2.3/2.4/2.5/2.6 versions
                including Apache Ranger versions 0.5.x/0.6.x/0.7.0 | 
| Users affected: Environments that use Ranger
                policies with characters after ‘*’ wildcard character – like my*test,
                test*.txt | 
| Impact: Policy resource matcher ignores
                characters after ‘*’ wildcard character, which can result in unintended behavior. | 
| Fix detail: Ranger policy resource matcher was
                updated to correctly handle wildcard matches. | 
| Recommended Action: Upgrade to HDP 2.6.1+ (with
                Apache Ranger 0.7.1+). | 
| Summary: Apache Ranger Hive Authorizer should
                check for RWX permission when external location is specified | 
| Severity: Critical | 
| Vendor: Hortonworks | 
| Versions Affected: HDP 2.3/2.4/2.5/2.6 versions
                including Apache Ranger versions 0.5.x/0.6.x/0.7.0 | 
| Users affected: Environments that use external
                location for hive tables | 
| Impact: In environments that use external
                location for hive tables, Apache Ranger Hive Authorizer should check for RWX
                permission for the external location specified for create table. | 
| Fix detail: Ranger Hive Authorizer was updated
                to correctly handle permission check with external location. | 
| Recommended Action: Users should upgrade to HDP
                2.6.1+ (with Apache Ranger 0.7.1+). | 
| Summary: Potential execution of code as the
                wrong user in Apache Storm | 
| Severity: Important | 
| Vendor: Hortonworks | 
| Versions Affected: HDP 2.4.0, HDP-2.5.0,
                HDP-2.6.0 | 
| Users affected: Users who use Storm in secure
                mode and are using blobstore to distribute topology based artifacts or using the
                blobstore to distribute any topology resources. | 
| Impact: Under some situations and
                configurations of storm it is theoretically possible for the owner of a topology to
                trick the supervisor to launch a worker as a different, non-root, user. In the worst
                case, this could lead to secure credentials of the other user being compromised.
                This vulnerability only applies to Apache Storm installations with security
                enabled. | 
| Mitigation: Upgrade to HDP-2.6.2.1 as there are
                currently no workarounds. | 
| Summary: handler/ssl/OpenSslEngine.java in
                Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers
                to cause a denial of service (infinite loop) | 
| Severity: Moderate | 
| Vendor: Hortonworks | 
| Versions Affected: HDP 2.x.x since
                2.3.x | 
| Users Affected: All users that use
                HDFS. | 
| Impact: Impact is low as Hortonworks does not
                use OpenSslEngine.java directly in Hadoop codebase. | 
| Recommended Action: Upgrade to 2.6.3. | 
| Summary: Apache Ranger path matching issue in
                policy evaluation | 
| Severity: Normal | 
| Vendor: Hortonworks | 
| Versions Affected: All HDP 2.5 versions
                including Apache Ranger versions 0.6.0/0.6.1/0.6.2 | 
| Users affected: All users of the ranger policy
                admin tool. | 
| Impact: Ranger policy engine incorrectly
                matches paths in certain conditions when a policy contains wildcards and recursive
                flags. | 
| Fix detail: Fixed policy evaluation logic | 
| Recommended Action: Users should upgrade to HDP
                2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+) | 
| Summary: Apache Ranger stored cross site
                scripting issue | 
| Severity: Normal | 
| Vendor: Hortonworks | 
| Versions Affected: All HDP 2.3/2.4/2.5 versions
                including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2 | 
| Users affected: All users of the ranger policy
                admin tool. | 
| Impact: Apache Ranger is vulnerable to a Stored
                Cross-Site Scripting when entering custom policy conditions. Admin users can store
                some arbitrary javascript code execute when normal users login and access policies. | 
| Fix detail: Added logic to sanitize the user
                input. | 
| Recommended Action: Users should upgrade to HDP
                2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+) | 
| Summary: Atlas web server allows user to browse
                webapp directory | 
| Severity: Normal | 
| Vendor: The Apache Software Foundation | 
| Versions Affected: 0.6.0 or 0.7.0 or 0.7.1
                versions of Apache Atlas | 
| Users affected: All users of Apache Atlas
                server | 
| Impact: Atlas users can access the webapp
                directory contents by pointing to URIs like /js, /img | 
| Fix detail: Atlas was updated to prevent
                browsing of webapp directory contents | 
| Mitigation: Users should upgrade to Apache
                Atlas 0.8-incubating or later version |