CVE-2024-23454: 
Java vulnerability analysis and mitigation

Apache Hadoop's RunJar.run() vulnerability (CVE-2024-23454) was discovered and disclosed on September 25, 2024. This security flaw affects Apache Hadoop versions prior to 3.4.0. The vulnerability exists in the temporary directory permissions management, where the RunJar.run() function does not set proper permissions by default (Apache List, OSS Security).

The vulnerability stems from the RunJar.run() function's failure to set appropriate permissions for temporary directories. On Unix-like systems, where the system temporary directory is shared between all local users, files written without explicit POSIX permissions settings may be accessible to all local users. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating local access with no privileges required (NVD).

The primary impact of this vulnerability is the potential disclosure of sensitive information. If sensitive data is present in the temporary files created by RunJar.run(), all local users on the system may be able to view this content, leading to unauthorized access to potentially confidential information (Apache JIRA).

The vulnerability has been fixed in Apache Hadoop version 3.4.0. Organizations running affected versions should upgrade to version 3.4.0 or later to address this security issue (Apache JIRA).