CVE-2022-26612

Arbitrary file write in FileUtil#unpackEntries on Windows

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

En Apache Hadoop, la función unTar usa la función unTarUsingJava en Windows y la utilidad tar incorporada en Unix y otros sistemas operativos. Como resultado, una entrada TAR puede crear un enlace simbólico bajo el directorio de extracción esperado que apunta a un directorio externo. Una entrada TAR posterior puede extraer un archivo arbitrario en el directorio externo usando el nombre del enlace simbólico. Sin embargo, esto sería detectado por la misma comprobación targetDirPath en Unix debido a la llamada getCanonicalPath. Sin embargo, en Windows, getCanonicalPath no resuelve los enlaces simbólicos, lo que evita la comprobación. unpackEntries durante la extracción del TAR sigue los enlaces simbólicos, lo que permite escribir fuera del directorio base esperado en Windows. Esto ha sido abordado en Apache Hadoop versión 3.2.3

*Credits: This issue was reported by a member of GitHub Security Lab, Jaroslav Lobačevski (https://github.com/JarLob).

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-03-07 CVE Reserved
2022-04-07 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-11-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-59: Improper Link Resolution Before File Access ('Link Following')

CAPEC

References (2)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20220519-0004	Third Party Advisory

URL	Date	SRC
https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"	Hadoop Search vendor "Apache" for product "Hadoop"	< 3.2.3 Search vendor "Apache" for product "Hadoop" and version " < 3.2.3"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Hadoop Search vendor "Apache" for product "Hadoop"	3.3.1 Search vendor "Apache" for product "Hadoop" and version "3.3.1"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Hadoop Search vendor "Apache" for product "Hadoop"	3.3.2 Search vendor "Apache" for product "Hadoop" and version "3.3.2"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe