CVE-2017-15718

Vulnerability

The YARN NodeManager component in Apache Hadoop versions 2.7.3 and 2.7.4 contains a vulnerability where the password used for the credential store provider (used by the NodeManager itself) is leaked to running YARN Applications. The password is exposed via environment variables or other means that allow applications to retrieve the credential store password rather than only the expected delegated tokens. This affects the core security mechanism intended to protect credential stores.

Exploitation

An attacker who can submit a YARN application or container to a cluster running the affected Hadoop versions (2.7.3 or 2.7.4) can retrieve the NodeManager's credential store password. No special network position beyond normal application submission is required, as the password is inadvertently made accessible within the application's context. The attacker does not need prior authentication to the credential store; the vulnerability itself leaks the password to the running application.

Impact

Successful exploitation results in disclosure of the credential store provider's password. With this password, an attacker could potentially decrypt or access secrets stored in the credential store (e.g., other service passwords, keys) that the NodeManager uses. This elevates the risk from information disclosure to broader compromise of Hadoop cluster secrets, depending on the credential store contents.

Mitigation

Apache has released fixes for Hadoop 2.7.3 and 2.7.4. Users should upgrade to Hadoop 2.7.5 or later [1][2]. The vendor advisory provides details on the patched version [1]. No workaround is documented; the only mitigation is applying the update. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of last review.