// For flags

CVE-2022-25168

Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

La API FileUtil.unTar(File, File) de Apache Hadoop no escapa el nombre del archivo de entrada antes de pasarlo al shell. Un atacante puede inyectar comandos arbitrarios. Esto sólo es usado en Hadoop versión 3.3 InMemoryAliasMap.completeBootstrapTransfer, que sólo es ejecutado un usuario local. Se ha usado en Hadoop versión 2.x para la localización de hilos, que sí permite una ejecución de código remota . Es usado en Apache Spark, desde el comando SQL ADD ARCHIVE. Como el comando ADD ARCHIVE añade nuevos binarios al classpath, el hecho de poder ejecutar scripts de shell no confiere nuevos permisos a quien lo llama. SPARK-38305. "Comprobar la existencia de un archivo antes de desarchivar/comprimir", que es incluida en versiones 3.3.0, 3.1.4 y 3.2.2, impide la ejecución de comandos de shell, independientemente de la versión de las bibliotecas de Hadoop que se esté usando. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.4, 3.3.3 o superior (incluyendo HADOOP-18136)

*Credits: Apache Hadoop would like to thank Kostya Kortchinsky for reporting this issue.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-15 CVE Reserved
  • 2022-08-04 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-26 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Hadoop
Search vendor "Apache" for product "Hadoop"
>= 2.0.0 <= 2.10.1
Search vendor "Apache" for product "Hadoop" and version " >= 2.0.0 <= 2.10.1"
-
Affected
Apache
Search vendor "Apache"
Hadoop
Search vendor "Apache" for product "Hadoop"
>= 3.0.0 <= 3.2.3
Search vendor "Apache" for product "Hadoop" and version " >= 3.0.0 <= 3.2.3"
-
Affected
Apache
Search vendor "Apache"
Hadoop
Search vendor "Apache" for product "Hadoop"
>= 3.3.0 <= 3.3.2
Search vendor "Apache" for product "Hadoop" and version " >= 3.3.0 <= 3.3.2"
-
Affected