===================================================================== CERT-Renater Note d'Information No. 2022/VULN303 _____________________________________________________________________ DATE : 31/08/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Hadoop versions prior to 3.3.4. ===================================================================== https://lists.apache.org/thread/w1nf92148xcnxl5ys0owtokf9y0l9zsv https://lists.apache.org/thread/j5w64vkrvp3x18gl8zcx5vl8149vs0gb https://lists.apache.org/thread/ktplnsr0b9zn8ylzb98zcnt5gydfvjm1 _____________________________________________________________________ CVE-2021-25642: Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler Severity: important Versions affected: 2.9.0 to 2.10.1, 3.0.0-alpha to 3.2.3, 3.3.0 to 3.3.3 Description: ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Mitigation: Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used. Credit: Apache Hadoop would like to thank Liu Ximing for reporting this issue. _____________________________________________________________________ [ANNOUNCE] Apache Hadoop 3.3.4 release On behalf of the Apache Hadoop Project Management Committee, I am pleased to announce the release of Apache Hadoop 3.3.4. --- This is a release of Apache Hadoop 3.3 line. It contains a small number of security and critical integration fixes since 3.3.3. Users of Apache Hadoop 3.3.3 should upgrade to this release. Users of hadoop 2.x and hadoop 3.2 should also upgrade to the 3.3.x line. As well as feature enhancements, this is the sole branch currently receiving fixes for anything other than critical security/data integrity issues. Users are encouraged to read the [overview of major changes][1] since release 3.3.3. For details of bug fixes, improvements, and other enhancements since the previous 3.3.3 release, please check [release notes][2] and [changelog][3]. [1]: http://hadoop.apache.org/docs/r3.3.4/index.html [2]: http://hadoop.apache.org/docs/r3.3.4/hadoop-project-dist/hadoop-common/release/3.3.4/RELEASENOTES.3.3.4.html [3]: http://hadoop.apache.org/docs/r3.3.4/hadoop-project-dist/hadoop-common/release/3.3.4/CHANGELOG.3.3.4.html Many thanks to everyone who helped in this release by supplying patches, reviewing them, helping get this release building and testing and reviewing the final artifacts. -Steve _____________________________________________________________________ CVE-2022-25168: Apache Hadoop: Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar Severity: important Versions affected: 2.0.0 to 2.10.1, 3.0.0-alpha to 3.2.3, 3.3.0 to 3.3.2 Description: Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Mitigation: Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136). Credit: Apache Hadoop would like to thank Kostya Kortchinsky for reporting this issue. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================