It was fun to work with Hadoop security in 2014… This vuln was a tricky one because I was responsible for Hadoop managed service platform security, and our clients had SSH access to Hadoop cluster nodes in some cases.
If I remember correctly, fix wasn’t easy – required release of new CDH version which moved configuration parameters between files (world readable access was required for Hadoop client to function). And then, several months later, it reappeared again after another patch.
I missed that one of my reported old CVEs was finally published: https://t.co/1wRygqPbRR
Low risk, it caused some problems with compliance
— Mikhail Samoylenko (@m_samoylenko) August 22, 2016