| |
| |
| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| |
| <meta name="description" content=""> |
| <meta name="author" content=""> |
| <link rel="icon" href="/favicon.ico"> |
| <base href="https://hadoop.apache.org"> |
| <title>Apache Hadoop</title> |
| |
| |
| <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> |
| |
| |
| <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous"> |
| <link rel="stylesheet" href="/css/hadoop.css"> |
| |
| |
| |
| </head> |
| |
| <body> |
| |
| <nav class="navbar navbar-inverse navbar-fixed-top"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <img class="navbar-logo" src="/elephant.png"> |
| <a class="navbar-brand" href="/"> Apache Hadoop</a> |
| </div> |
| |
| <div id="navbar" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav"> |
| |
| |
| |
| <li class=""><a href="releases.html">Download</a></li> |
| |
| |
| |
| <li class="dropdown "> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Documentation <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="http://apache.github.io/hadoop/">Current (trunk)</a></li> |
| |
| <li ><a href="https://hadoop.apache.org/docs/current/">Latest</a></li> |
| |
| <li ><a href="https://hadoop.apache.org/docs/stable/">Stable</a></li> |
| |
| |
| <li role="separator" class="divider"></li> |
| |
| <li><a href="https://hadoop.apache.org/docs/r3.4.0/">3.4.0</a></li> |
| |
| <li><a href="https://hadoop.apache.org/docs/r3.3.6/">3.3.6</a></li> |
| |
| <li><a href="https://hadoop.apache.org/docs/r2.10.2/">2.10.2</a></li> |
| |
| <li role="separator" class="divider"></li> |
| <li><a href="https://wiki.apache.org/hadoop">Wiki</a></li> |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class="dropdown active"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Community <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="/bylaws.html">Bylaws</a></li> |
| |
| <li ><a href="/committer_criteria.html">Criteria for Committership</a></li> |
| |
| <li ><a href="/mailing_lists.html">Mailing lists</a></li> |
| |
| <li ><a href="/cve_list.html">Published CVEs</a></li> |
| |
| <li ><a href="/who.html">Who We are</a></li> |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class="dropdown "> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Development <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute">How to Contribute</a></li> |
| |
| <li ><a href="/issue_tracking.html">Issue Tracking</a></li> |
| |
| <li ><a href="/version_control.html">Version Control</a></li> |
| |
| <li ><a href="/versioning.html">Versioning</a></li> |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class="dropdown "> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Help <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="https://www.cafepress.com/hadoop">Buy Stuff</a></li> |
| |
| <li ><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| |
| <li ><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| |
| |
| </ul> |
| </li> |
| |
| |
| </ul> |
| <ul class="nav navbar-nav navbar-right"> |
| <li> |
| <a href="https://www.apache.org/">Apache Software Foundation <span class="glyphicon glyphicon-new-window" aria-hidden="true"></span></a> |
| </li> |
| |
| |
| </ul> |
| </div> |
| |
| </div> |
| </nav> |
| |
| <div class="container"> |
| <h1>Hadoop CVE List</h1> |
| <!--- |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. See accompanying LICENSE file. |
| --> |
| <p>This page lists security fixes that the Hadoop PMC felt warranted a CVE. If you think something is missing from this list or if you think the set of impacted or fixed versions is incomplete then please <a href="mailing_lists.html#Security">ask on the Security list</a>.</p> |
| <p>CVEs are presented in most-recent-first order of announcement.</p> |
| <!-- These should be sorted as most-recent-first. Please copy this template and fill in as needed. |
| |
| ## [CVE-YYYY-XXXX](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-XXXX) Short Description |
| |
| One paragraph summary goes here. Don't need nuts-and-bolts detail, just enough for a reader to guage applicability to their deployment. |
| |
| - **Versions affected**: |
| - **Fixed versions**: |
| - **Impact**: |
| - **Reporter**: |
| - **Reported Date**: |
| - **Issue Announced**: |
| --> |
| <h2 id="cve-2023-26031httpcvemitreorgcgi-bincvenamecginamecve-2023-26031-privilege-escalation-in-apache-haoop-yarn-container-executor-binary-on-linux-systems"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26031">CVE-2023-26031</a> Privilege escalation in Apache Haoop Yarn container-executor binary on Linux systems</h2> |
| <p>Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.</p> |
| <p>Hadoop 3.3.0 updated the <a href="https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html">YARN Secure Containers</a> to add a feature for executing user-submitted applications in isolated linux containers.</p> |
| <p>The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.</p> |
| <p>The patch <a href="https://issues.apache.org/jira/browse/YARN-10495">YARN-10495</a> “make the rpath of container-executor configurable” modified the library loading path for loading .so files from <code>$ORIGIN/</code> to <code>$ORIGIN/:../lib/native/</code>. This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root. |
| If the YARN cluster is accepting work from remote (authenticated) users, and these users’ submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.</p> |
| <p>The fix for the vulnerability is to revert the change, which is done in <a href="https://issues.apache.org/jira/browse/YARN-11441">YARN-11441</a>, “Revert YARN-10495”. This patch is in hadoop-3.3.5.</p> |
| <p>To determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path <code>./lib/native/</code> then it is at risk</p> |
| <pre tabindex="0"><code>$ readelf -d container-executor|grep 'RUNPATH\|RPATH' |
| 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/:../lib/native/] |
| </code></pre><p>If it does not, then it is safe:</p> |
| <pre tabindex="0"><code>$ readelf -d container-executor|grep 'RUNPATH\|RPATH' |
| 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/] |
| </code></pre><p>For an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set</p> |
| <pre tabindex="0"><code>$ ls -laF /opt/hadoop/bin/container-executor |
| ---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor |
| </code></pre><p>A safe installation lacks the suid bit; ideally is also not owned by root.</p> |
| <pre tabindex="0"><code>$ ls -laF /opt/hadoop/bin/container-executor |
| -rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor |
| </code></pre><p>This configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.3.1 to 3.3.4</li> |
| <li><strong>Fixed versions</strong>: 3.3.5</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Esa Hiltunen, Mikko Kortelainen</li> |
| <li><strong>Reported Date</strong>: 2022/07/13</li> |
| <li><strong>Issue Announced</strong>: 2023/11/16 (<a href="https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2021-25642httpcvemitreorgcgi-bincvenamecginamecve-2021-25642-apache-hadoop-yarn-remote-code-execution-in-zkconfigurationstore-of-capacity-scheduler"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25642">CVE-2021-25642</a> Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler</h2> |
| <p>ZKConfigurationStore which is optionally used by CapacityScheduler of |
| Apache Hadoop YARN deserializes data obtained from ZooKeeper without |
| validation. An attacker having access to ZooKeeper can run arbitrary |
| commands as YARN user by exploiting this.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.9.0 to 2.10.1, 3.0.0-alpha to 3.2.3, 3.3.0 to 3.3.3</li> |
| <li><strong>Fixed versions</strong>: 2.10.2, 3.2.4, 3.3.4</li> |
| <li><strong>Impact</strong>: remote command execution</li> |
| <li><strong>Reporter</strong>: Liu Ximing</li> |
| <li><strong>Reported Date</strong>: 2020/12/16</li> |
| <li><strong>Issue Announced</strong>: 2022/08/25 (<a href="https://lists.apache.org/thread/w1nf92148xcnxl5ys0owtokf9y0l9zsv">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2022-25168httpcvemitreorgcgi-bincvenamecginamecve-2022-25168-command-injection-in-orgapachehadoopfsfileutiluntarusingtar"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168">CVE-2022-25168</a> Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar</h2> |
| <p>Apache Hadoop’s FileUtil.unTar(File, File) API does not escape the |
| input file name before being passed to the shell. An attacker can |
| inject arbitrary commands.</p> |
| <p>This is only used in Hadoop 3.3 |
| InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by |
| a local user.</p> |
| <p>It has been used in Hadoop 2.x for yarn localization, which does |
| enable remote code execution.</p> |
| <p>It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the |
| ADD ARCHIVE command adds new binaries to the classpath, being able to |
| execute shell scripts does not confer new permissions to the caller.</p> |
| <p>SPARK-38305. “Check existence of file before untarring/zipping”, which |
| is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being |
| executed, regardless of which version of the hadoop libraries are in |
| use.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.0.0 to 2.10.1, 3.0.0-alpha1 to 3.2.3, 3.3.0 to 3.3.2</li> |
| <li><strong>Fixed versions</strong>: 2.10.2, 3.2.4, 3.3.3</li> |
| <li><strong>Impact</strong>: injection attack</li> |
| <li><strong>Reporter</strong>: Kostya Kortchinsky</li> |
| <li><strong>Reported Date</strong>: 2022/02/12</li> |
| <li><strong>Issue Announced</strong>: 2022/08/04 (<a href="https://lists.apache.org/thread/ktplnsr0b9zn8ylzb98zcnt5gydfvjm1">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2021-33036httpcvemitreorgcgi-bincvenamecginamecve-2021-33036-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33036">CVE-2021-33036</a> Apache Hadoop Privilege escalation vulnerability</h2> |
| <p>In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to |
| 3.2.2, and 3.3.0 to 3.3.1, A user who can escalate to yarn user can |
| possibly run arbitrary commands as root user.</p> |
| <p>If you are using the affected version of Apache Hadoop and some users |
| can escalate to yarn user and cannot escalate to root user, remove the |
| permission to escalate to yarn user from them.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, 3.3.0 to 3.3.1</li> |
| <li><strong>Fixed versions</strong>: 2.10.2, 3.2.3, 3.3.2</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Hideyuki Furue</li> |
| <li><strong>Reported Date</strong>: 2021/05/05</li> |
| <li><strong>Issue Announced</strong>: 2022/06/15 (<a href="https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2021-37404httpcvemitreorgcgi-bincvenamecginamecve-2021-37404-heap-buffer-overflow-in-libhdfs-native-library"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37404">CVE-2021-37404</a> Heap buffer overflow in libhdfs native library</h2> |
| <p>There is a potential heap buffer overflow in libhdfs native code. |
| Opening a file path provided by user without validation may result in |
| a denial of service or arbitrary code execution.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.9.0 to 2.10.1, 3.0.0 to 3.1.4, 3.2.0 to 3.2.2, 3.3.0 to 3.3.1</li> |
| <li><strong>Fixed versions</strong>: 2.10.2, 3.2.3, 3.3.2</li> |
| <li><strong>Impact</strong>: denial of service or arbitrary code execution</li> |
| <li><strong>Reporter</strong>: Igor Chervatyuk</li> |
| <li><strong>Reported Date</strong>: 2021/04/04</li> |
| <li><strong>Issue Announced</strong>: 2022/06/11 (<a href="https://lists.apache.org/thread/36k6f4s4ff97tgo4wl9681vtcp7dsg06">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2022-26612httpcvemitreorgcgi-bincvenamecginamecve-2022-26612-arbitrary-file-write-during-untar-on-windows"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26612">CVE-2022-26612</a> Arbitrary file write during untar on Windows</h2> |
| <p>In Apache Hadoop, The <code>unTar</code> function uses <code>unTarUsingJava</code> function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same <code>targetDirPath</code> check on Unix because of the <code>getCanonicalPath</code> call. However on Windows, <code>getCanonicalPath</code> doesn’t resolve symbolic links, which bypasses the check. <code>unpackEntries</code> during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows.</p> |
| <p>Users of the affected versions should apply either of the following mitigations:</p> |
| <ul> |
| <li>Do not run any of the YARN daemons as a user possessing the permissions to create symlinks on Windows.</li> |
| <li>Do not use symlinks in the tar file.</li> |
| </ul> |
| <ul> |
| <li><strong>Versions affected</strong>: Versions below 3.2.3, 3.3.2</li> |
| <li><strong>Fixed versions</strong>: 3.2.3, 3.3.3, 3.4 onwards</li> |
| <li><strong>Impact</strong>: file write to arbitrary path in Windows</li> |
| <li><strong>Reporter</strong>: A member of GitHub Security Lab, <a href="https://github.com/JarLob">Jaroslav Lobačevski</a></li> |
| <li><strong>Reported Date</strong>: 2022/02/09</li> |
| <li><strong>Issue Announced</strong>: 2022/04/7 (<a href="https://lists.apache.org/thread/wps21pzjl1myxw23yb466y9yofv104yl">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2020-9492httpcvemitreorgcgi-bincvenamecginamecve-2020-9492-apache-hadoop-potential-privilege-escalation"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492">CVE-2020-9492</a> Apache Hadoop Potential privilege escalation</h2> |
| <p>WebHDFS client might send SPNEGO authorization header to remote URL |
| without proper verification. A crafty user can trigger services to |
| send server credentials to a webhdfs path for capturing the service |
| principal.</p> |
| <p>Users of the affected versions should apply either of the following mitigations:</p> |
| <ul> |
| <li>Set different http signature secrets and use dedicated hosts for each privileged impersonation service (such as HiveServer2).</li> |
| <li>Upgrade to 3.3.0, 3.2.2, 3.1.4, 2.10.1, or newer with TLS encryption enabled and configure dfs.http.policy to HTTPS_ONLY.</li> |
| </ul> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0</li> |
| <li><strong>Fixed versions</strong>: 3.2.2, 3.1.4, 2.10.1</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Kevin Risden</li> |
| <li><strong>Reported Date</strong>: 2020/03/17</li> |
| <li><strong>Issue Announced</strong>: 2021/01/26 (<a href="https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11764httpcvemitreorgcgi-bincvenamecginamecve-2018-11764-apache-hadoop-privilege-escalation-in-web-endpoint"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11764">CVE-2018-11764</a> Apache Hadoop Privilege escalation in web endpoint</h2> |
| <p>Web endpoint authentication check is broken. Authenticated users may |
| impersonate any user even if no proxy user is configured.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha4, 3.0.0-beta1, 3.0.0</li> |
| <li><strong>Fixed versions</strong>: 3.0.1</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Daryn Sharp</li> |
| <li><strong>Reported Date</strong>: 2018/03/17</li> |
| <li><strong>Issue Announced</strong>: 2020/10/21 (<a href="https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11765httpcvemitreorgcgi-bincvenamecginamecve-2018-11765-potential-information-disclosure-in-apache-hadoop-web-interfaces"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11765">CVE-2018-11765</a> Potential information disclosure in Apache Hadoop Web interfaces</h2> |
| <p>When Kerberos authentication is enabled and SPNEGO through HTTP is not enabled, |
| any users can access some servlets without authentication.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5</li> |
| <li><strong>Fixed versions</strong>: 3.0.1, 2.10.0</li> |
| <li><strong>Impact</strong>: information disclosure</li> |
| <li><strong>Reporter</strong>: Larry McCay (Discovered by Owen O’Malley)</li> |
| <li><strong>Reported Date</strong>: 2018/03/11</li> |
| <li><strong>Issue Announced</strong>: 2020/09/28 (<a href="https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11768httpcvemitreorgcgi-bincvenamecginamecve-2018-11768-apache-hadoop-hdfs-fsimage-corruption"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768">CVE-2018-11768</a> Apache Hadoop HDFS FSImage Corruption</h2> |
| <p>There is a mismatch in the size of the fields used to store user/group |
| information between memory and disk representation. This causes the user/group |
| information to be corrupted across storing in fsimage and reading back from |
| fsimage.</p> |
| <p>This vulnerability fix contains a fsimage layout change, so once the image is |
| saved in the new layout format you cannot go back to a version that doesn’t |
| support the newer layout. This means that once 2.7.x users upgraded to the |
| fixed version, they cannot downgrade to 2.7.x because there is no fixed version |
| in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the |
| vulnerability fix.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4</li> |
| <li><strong>Fixed versions</strong>: 3.1.2, 2.9.2, 2.8.5</li> |
| <li><strong>Impact</strong>: information disclosure</li> |
| <li><strong>Reporter</strong>: Ekanth Sethuramalingam</li> |
| <li><strong>Reported Date</strong>: 2018/06/05</li> |
| <li><strong>Issue Announced</strong>: 2019/10/03 (<a href="https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-8029httpcvemitreorgcgi-bincvenamecginamecve-2018-8029-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029">CVE-2018-8029</a> Apache Hadoop Privilege escalation vulnerability</h2> |
| <p>A user who can escalate to yarn user can possibly run arbitrary |
| commands as root user.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4</li> |
| <li><strong>Fixed versions</strong>: 3.1.1, 2.9.2, 2.8.5</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Miklos Szegedi</li> |
| <li><strong>Reported Date</strong>: 2018/05/08</li> |
| <li><strong>Issue Announced</strong>: 2019/05/30 (<a href="https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11767httpcvemitreorgcgi-bincvenamecginamecve-2018-11767-apache-hadoop-kms-acl-regression"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11767">CVE-2018-11767</a> Apache Hadoop KMS ACL regression</h2> |
| <p>After the security fix for CVE-2017-15713, KMS has an access control regression, |
| blocking users or granting access to users incorrectly, if the system |
| uses non-default groups mapping mechanisms such as LdapGroupsMapping, |
| CompositeGroupsMapping, or NullGroupsMapping.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6</li> |
| <li><strong>Fixed versions</strong>: 2.9.2, 2.8.5, 2.7.7</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Wei-Chiu Chuang</li> |
| <li><strong>Reported Date</strong>: 2018/05/09</li> |
| <li><strong>Issue Announced</strong>: 2019/03/11 (<a href="https://lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-1296httpcvemitreorgcgi-bincvenamecginamecve-2018-1296-apache-hadoop-hdfs-permissive-listxattr-authorization"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1296">CVE-2018-1296</a> Apache Hadoop HDFS Permissive listXAttr Authorization</h2> |
| <p>HDFS exposes extended attribute key/value pairs during listXAttrs, |
| verifying only path-level search access to the directory rather than |
| path-level read permission to the referent. This affects features that |
| store sensitive data in extended attributes, such as HDFS encryption |
| secrets.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5</li> |
| <li><strong>Fixed versions</strong>: 3.0.1, 2.9.1, 2.8.4, 2.7.6</li> |
| <li><strong>Impact</strong>: information disclosure</li> |
| <li><strong>Reporter</strong>: Rushabh Shah</li> |
| <li><strong>Reported Date</strong>: 2018/02/09</li> |
| <li><strong>Issue Announced</strong>: 2019/01/24 (<a href="https://lists.apache.org/thread.html/752d5fe697ca6be6f472eabb1bcae7961a47d416e4013ac803a2ab2c@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11766httpcvemitreorgcgi-bincvenamecginamecve-2018-11766-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11766">CVE-2018-11766</a> Apache Hadoop privilege escalation vulnerability</h2> |
| <p>In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is |
| incomplete. A user who can escalate to yarn user can possibly run arbitrary |
| commands as root user.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.7.4 to 2.7.6</li> |
| <li><strong>Fixed versions</strong>: 2.7.7</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Wilfred Spiegelenburg</li> |
| <li><strong>Reported Date</strong>: 2018/05/04</li> |
| <li><strong>Issue Announced</strong>: 2018/11/27 (<a href="https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-8009httpcvemitreorgcgi-bincvenamecginamecve-2018-8009-apache-hadoop-distributed-cache-archive-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009">CVE-2018-8009</a> Apache Hadoop distributed cache archive vulnerability</h2> |
| <p>Vulnerability allows a cluster user to publish a public |
| archive that can affect other files owned by the user running the YARN |
| NodeManager daemon. If the impacted files belong to another already |
| localized, public archive on the node then code can be injected into |
| the jobs of other cluster users using the public archive.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11</li> |
| <li><strong>Fixed versions</strong>: 3.1.1, 3.0.3, 2.9.2, 2.8.5, 2.7.7</li> |
| <li><strong>Impact</strong>: injection attack</li> |
| <li><strong>Credit</strong>: Snyk Security Research Team</li> |
| <li><strong>Reported Date</strong>: 2018/04/19</li> |
| <li><strong>Issue Announced</strong>: 2018/11/22 (<a href="https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2016-6811httpcvemitreorgcgi-bincvenamecginamecve-2016-6811-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811">CVE-2016-6811</a> Apache Hadoop Privilege escalation vulnerability</h2> |
| <p>A user who can escalate to yarn user can possibly run arbitrary commands as root user.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.2.0 to 2.7.3</li> |
| <li><strong>Fixed versions</strong>: 2.7.4 or newer</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Freddie Rice</li> |
| <li><strong>Reported Date</strong>: 2016/07/06</li> |
| <li><strong>Issue Announced</strong>: 2018/05/01 (<a href="https://lists.apache.org/thread.html/ff3859a2188c3662240311acddba9cf97992b839792ec0a14d61b4e5@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <p>Note: The fix for this vulnerability is incomplete in Apache Hadoop 2.7.4 to 2.7.6 (CVE-2018-11766).</p> |
| <h2 id="cve-2017-15718httpcvemitreorgcgi-bincvenamecginamecve-2017-15718-apache-hadoop-yarn-nodemanager-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718">CVE-2017-15718</a> Apache Hadoop YARN NodeManager vulnerability</h2> |
| <p>In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. |
| The YARN NodeManager can leak the password for credential store provider |
| used by the NodeManager to YARN Applications.</p> |
| <p>If you use the CredentialProvider feature to encrypt passwords used in |
| NodeManager configs, it may be possible for any Container launched |
| by that NodeManager to gain access to the encryption password. |
| The other passwords themselves are not directly exposed.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.7.3, 2.7.4</li> |
| <li><strong>Fixed versions</strong>: 2.7.5</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Vinayakumar B.</li> |
| <li><strong>Reported Date</strong>: 2017/09/18</li> |
| <li><strong>Issue Announced</strong>: 2018/01/24 (<a href="https://lists.apache.org/thread.html/23a277506bc0d85c1bbe5c0766ffe55e8c3923c8d6f58893b6966957@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2017-15713httpcvemitreorgcgi-bincvenamecginamecve-2017-15713-apache-hadoop-mapreduce-job-history-server-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713">CVE-2017-15713</a> Apache Hadoop MapReduce job history server vulnerability</h2> |
| <p>Vulnerability allows a cluster user to expose private files |
| owned by the user running the MapReduce job history server process. |
| The malicious user can construct a configuration file containing XML |
| directives that reference sensitive files on the MapReduce job history |
| server host.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha to 3.0.0-beta1, 2.8.0 to 2.8.2, 2.0.0-alpha to 2.7.4, 0.23.0 to 0.23.11</li> |
| <li><strong>Fixed versions</strong>: 3.0.0, 2.9.0, 2.8.3, 2.7.5</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Man Yue Mo of lgtm.com</li> |
| <li><strong>Reported Date</strong>: 2017/06/30</li> |
| <li><strong>Issue Announced</strong>: 2018/01/19 (<a href="https://lists.apache.org/thread.html/9e5d86d5792d04f8a3b458f735e63fa9bdfe28ff454de257a2e02f18@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2017-3166httpcvemitreorgcgi-bincvenamecginamecve-2017-3166-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166">CVE-2017-3166</a> Apache Hadoop Privilege escalation vulnerability</h2> |
| <p>In a cluster where the YARN user has been granted access to all HDFS |
| encryption keys, if a file in an encryption zone with access permissions |
| that make it world readable is localized via YARN’s localization mechanism, |
| e.g. via the MapReduce distributed cache, that file will be stored |
| in a world-readable location and shared freely with any application |
| that requests to localize that file, no matter who the application owner |
| is or whether that user should be allowed to access files from the |
| target encryption zone.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha1 - 3.0.0-alpha3 , 2.7.0 to 2.7.3, 2.6.1-2.6.5</li> |
| <li><strong>Fixed versions</strong>: 3.0.0-alpha4, 2.8.0, 2.7.4</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Luke Herbert</li> |
| <li><strong>Reported Date</strong>: 2016/11/18</li> |
| <li><strong>Issue Announced</strong>: 2017/11/08 (<a href="https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h1 id="thirdparty-vulnerabilities">Thirdparty vulnerabilities</h1> |
| <p>The following section describes thirdparty vulnerabilities that may be of interest to Hadoop users. Please contact the respective project owners for details.</p> |
| <h2 id="cve-2021-44228httpscvemitreorgcgi-bincvenamecginamecve-2021-44228-log4shell-vulnerability"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a> Log4Shell Vulnerability</h2> |
| <p>It is understood that the log4shell vulnerability CVE-2021-44228 impacts log4j2. Hadoop, as of 3.3.x depends on log4j 1.x, which is <strong>NOT</strong> susceptible to the attack. Once we migrate over to log4j2, we will adopt a version that is not susceptible to the attack, too. Therefore, no ASF version of Hadoop has ever been vulnerable. Third party products and applications based on Hadoop <em>may</em> be vulnerable, please consult the vendor or the project owner.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: N/A</li> |
| </ul> |
| <h2 id="cve-2021-4104httpscvemitreorgcgi-bincvenamecginamecve-2021-4104-log4shell-vulnerability"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104">CVE-2021-4104</a> Log4Shell Vulnerability</h2> |
| <p>JMSAppender in Log4j 1.2, used by all versions of Apache Hadoop, is vulnerable to the Log4Shell attack in a similar fashion to CVE-2021-44228. However, the JMSAppender is not the default configuration shipped in Hadoop. When JMSAppender is not enabled, Hadoop is not vulnerable to the attack.</p> |
| <p>To mitigate the risk, you can remove JMSAppender from the log4j-1.2.17.jar artifact yourself following the instructions in this <a href="http://slf4j.org/log4shell.html">link</a>.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: N/A</li> |
| </ul> |
| |
| </div> |
| |
| <div class="container"> |
| <footer class="footer container"> |
| <div class="col-md-6"> |
| <p>Apache Hadoop, Hadoop, Apache, the Apache feather logo, |
| and the Apache Hadoop project logo are either registered trademarks or trademarks of the Apache Software Foundation |
| in the United States and other countries</p> |
| <p>Copyright © 2006-2024 The Apache Software Foundation</p> |
| <p><a href="/privacy_policy.html">Privacy policy</a></p> |
| </div> |
| <div class="col-md-6"> |
| <img class="img-responsive" src="/asf_logo_wide.png"/> |
| </div> |
| </footer> |
| </div> |
| |
| |
| <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script> |
| <script>window.jQuery || document.write('<script src="../../assets/js/vendor/jquery.min.js"><\/script>')</script> |
| <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script> |
| <script> |
| $(function() { $('table').addClass('table table-striped'); }) |
| </script> |
| |
| <script type="application/javascript"> |
| var doNotTrack = false; |
| if (!doNotTrack) { |
| (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ |
| (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), |
| m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) |
| })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); |
| ga('create', 'UA-7453027-1', 'auto'); |
| |
| ga('send', 'pageview'); |
| } |
| </script> |
| </body> |
| </html> |
| |