Typo causing misreporting of Hadoop 2.9.x as vulnerable

In gb_apache_hadoop_priv_esc_vuln_may18.nasl to detect CVE-2016-6811 on specific as per the description states Apache Hadoop versions 2.2.0 to 2.7.3 the version test compares with 2.9.3 instead of 2.7.3:
if(version_in_range(version:hadoopVer, test_version:"2.2.0", test_version2: "2.9.3"))

This causes an FP up to very recent Hadoop versions on branch 2.9.x. There is no indication that this CVE includes anything after 2.7.3 so this is very likely a typo in the version test.

1 Like

Hi there,

thanks for bringing this to our attention. You are right, of course, this is indeed a false-positive.

The issue has been fixed and will be in the feed in a couple of days.