CVE-2022-25168
Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
La API FileUtil.unTar(File, File) de Apache Hadoop no escapa el nombre del archivo de entrada antes de pasarlo al shell. Un atacante puede inyectar comandos arbitrarios. Esto sólo es usado en Hadoop versión 3.3 InMemoryAliasMap.completeBootstrapTransfer, que sólo es ejecutado un usuario local. Se ha usado en Hadoop versión 2.x para la localización de hilos, que sí permite una ejecución de código remota . Es usado en Apache Spark, desde el comando SQL ADD ARCHIVE. Como el comando ADD ARCHIVE añade nuevos binarios al classpath, el hecho de poder ejecutar scripts de shell no confiere nuevos permisos a quien lo llama. SPARK-38305. "Comprobar la existencia de un archivo antes de desarchivar/comprimir", que es incluida en versiones 3.3.0, 3.1.4 y 3.2.2, impide la ejecución de comandos de shell, independientemente de la versión de las bibliotecas de Hadoop que se esté usando. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.4, 3.3.3 o superior (incluyendo HADOOP-18136)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-15 CVE Reserved
- 2022-08-04 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-26 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20220915-0007 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130 | 2023-06-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Hadoop Search vendor "Apache" for product "Hadoop" | >= 2.0.0 <= 2.10.1 Search vendor "Apache" for product "Hadoop" and version " >= 2.0.0 <= 2.10.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Hadoop Search vendor "Apache" for product "Hadoop" | >= 3.0.0 <= 3.2.3 Search vendor "Apache" for product "Hadoop" and version " >= 3.0.0 <= 3.2.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Hadoop Search vendor "Apache" for product "Hadoop" | >= 3.3.0 <= 3.3.2 Search vendor "Apache" for product "Hadoop" and version " >= 3.3.0 <= 3.3.2" | - |
Affected
| ||||||