CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26031 – Privilege escalation in Apache Hadoop Yarn container-executor binary on Linux systems
https://notcve.org/view.php?id=CVE-2023-26031
Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges. Hadoop 3.3.0 updated the " YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html " to add a feature for executing user-submitted applications in isolated linux containers. The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs. The patch " YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable" modified the library loading path for loading .so files from "$ORIGIN/" to ""$ORIGIN/:../lib/native/". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root. If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges. The fix for the vulnerability is to revert the change, which is done in YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , "Revert YARN-10495". • https://hadoop.apache.org/cve_list.html https://issues.apache.org/jira/browse/YARN-11441 https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r https://security.netapp.com/advisory/ntap-20240112-0001 • CWE-426: Untrusted Search Path •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-25642 – Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler
https://notcve.org/view.php?id=CVE-2021-25642
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used. ZKConfigurationStore que es usado opcionalmente por CapacityScheduler de Apache Hadoop YARN de serializa los datos obtenidos de ZooKeeper sin comprobación. Un atacante que tenga acceso a ZooKeeper puede ejecutar comandos arbitrarios como usuario de YARN al aprovechar esto. • https://github.com/safe3s/CVE-2021-25642 https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150 https://security.netapp.com/advisory/ntap-20221201-0003 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-25168 – Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar
https://notcve.org/view.php?id=CVE-2022-25168
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. • https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130 https://security.netapp.com/advisory/ntap-20220915-0007 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2021-33036 – Apache Hadoop Privilege escalation vulnerability
https://notcve.org/view.php?id=CVE-2021-33036
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. En Apache Hadoop versiones 2.2.0 a 2.10.1, 3.0.0-alpha1 a 3.1.4, 3.2.0 a 3.2.2 y 3.3.0 a 3.3.1, un usuario que puede escalar a usuario hilo puede ejecutar posiblemente comandos arbitrarios como usuario root. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.3, 3.3.2 o superior • http://www.openwall.com/lists/oss-security/2022/06/15/2 https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5 https://security.netapp.com/advisory/ntap-20220722-0003 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-24: Path Traversal: '../filedir' CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-37404 – Heap buffer overflow in libhdfs native library
https://notcve.org/view.php?id=CVE-2021-37404
There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. Se presenta un potencial desbordamiento del búfer de la pila en el código nativo de Apache Hadoop libhdfs. La apertura de una ruta de archivo proporcionada por el usuario sin que sea comprobada puede resultar en una denegación de servicio o una ejecución de código arbitrario. • https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo https://security.netapp.com/advisory/ntap-20220715-0007 • CWE-787: Out-of-bounds Write •