Google Git
Sign in
apache / hadoop-site / 3a5b685e7a54ce3419d5292782d51d594d4471f6 / . / content / cve_list.html
blob: 44b0602854a8f405f7ab1eb1624d7b001d1c3996 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<link rel="icon" href="/favicon.ico">
<base href="https://hadoop.apache.org">
<title>Apache Hadoop</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">
<link rel="stylesheet" href="/css/hadoop.css">
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<img class="navbar-logo" src="/elephant.png">
<a class="navbar-brand" href="/"> Apache Hadoop</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class=""><a href="releases.html">Download</a></li>
<li class="dropdown ">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Documentation <span class="caret"></span></a>
<ul class="dropdown-menu">
<li ><a href="https://hadoop.apache.org/docs/current/">Latest</a></li>
<li ><a href="https://hadoop.apache.org/docs/stable/">Stable</a></li>
<li role="separator" class="divider"></li>
<li><a href="https://hadoop.apache.org/docs/r3.2.4/">3.2.4</a></li>
<li><a href="https://hadoop.apache.org/docs/r2.10.2/">2.10.2</a></li>
<li><a href="https://hadoop.apache.org/docs/r3.3.3/">3.3.3</a></li>
<li role="separator" class="divider"></li>
<li><a href="https://wiki.apache.org/hadoop">Wiki</a></li>
</ul>
</li>
<li class="dropdown active">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Community <span class="caret"></span></a>
<ul class="dropdown-menu">
<li ><a href="/bylaws.html">Bylaws</a></li>
<li ><a href="/committer_criteria.html">Criteria for Committership</a></li>
<li ><a href="/mailing_lists.html">Mailing lists</a></li>
<li ><a href="/cve_list.html">Published CVEs</a></li>
<li ><a href="/who.html">Who We are</a></li>
</ul>
</li>
<li class="dropdown ">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Development <span class="caret"></span></a>
<ul class="dropdown-menu">
<li ><a href="https://cwiki.apache.org/confluence/display/HADOOP/How&#43;To&#43;Contribute">How to Contribute</a></li>
<li ><a href="/issue_tracking.html">Issue Tracking</a></li>
<li ><a href="/version_control.html">Version Control</a></li>
<li ><a href="/versioning.html">Versioning</a></li>
</ul>
</li>
<li class="dropdown ">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Help <span class="caret"></span></a>
<ul class="dropdown-menu">
<li ><a href="https://www.cafepress.com/hadoop">Buy Stuff</a></li>
<li ><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li ><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
</ul>
</li>
</ul>
<ul class="nav navbar-nav navbar-right">
<li>
<a href="https://www.apache.org/">Apache Software Foundation <span class="glyphicon glyphicon-new-window" aria-hidden="true"></span></a>
</li>
</ul>
</div>
</div>
</nav>
<div class="container">
<h1>Hadoop CVE List</h1>
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
<p>This page lists security fixes that the Hadoop PMC felt warranted a CVE. If you think something is missing from this list or if you think the set of impacted or fixed versions is incomplete then please <a href="mailing_lists.html#Security">ask on the Security list</a>.</p>
<p>CVEs are presented in most-recent-first order of announcement.</p>
<!-- These should be sorted as most-recent-first. Please copy this template and fill in as needed.
## [CVE-YYYY-XXXX](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-XXXX) Short Description
One paragraph summary goes here. Don't need nuts-and-bolts detail, just enough for a reader to guage applicability to their deployment.
- **Versions affected**:
- **Fixed versions**:
- **Impact**:
- **Reporter**:
- **Reported Date**:
- **Issue Announced**:
-->
<h2 id="cve-2022-25168httpcvemitreorgcgi-bincvenamecginamecve-2022-25168-command-injection-in-orgapachehadoopfsfileutiluntarusingtar"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168">CVE-2022-25168</a> Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar</h2>
<p>Apache Hadoop&rsquo;s FileUtil.unTar(File, File) API does not escape the
input file name before being passed to the shell. An attacker can
inject arbitrary commands.</p>
<p>This is only used in Hadoop 3.3
InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by
a local user.</p>
<p>It has been used in Hadoop 2.x for yarn localization, which does
enable remote code execution.</p>
<p>It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the
ADD ARCHIVE command adds new binaries to the classpath, being able to
execute shell scripts does not confer new permissions to the caller.</p>
<p>SPARK-38305. &ldquo;Check existence of file before untarring/zipping&rdquo;, which
is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being
executed, regardless of which version of the hadoop libraries are in
use.</p>
<ul>
<li><strong>Versions affected</strong>: 2.0.0 to 2.10.1, 3.0.0-alpha1 to 3.2.3, 3.3.0 to 3.3.2</li>
<li><strong>Fixed versions</strong>: 2.10.2, 3.2.4, 3.3.3</li>
<li><strong>Impact</strong>: injection attack</li>
<li><strong>Reporter</strong>: Kostya Kortchinsky</li>
<li><strong>Reported Date</strong>: 2022/02/12</li>
<li><strong>Issue Announced</strong>: 2022/08/04 (<a href="https://lists.apache.org/thread/ktplnsr0b9zn8ylzb98zcnt5gydfvjm1">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2021-33036httpcvemitreorgcgi-bincvenamecginamecve-2021-33036-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33036">CVE-2021-33036</a> Apache Hadoop Privilege escalation vulnerability</h2>
<p>In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to
3.2.2, and 3.3.0 to 3.3.1, A user who can escalate to yarn user can
possibly run arbitrary commands as root user.</p>
<p>If you are using the affected version of Apache Hadoop and some users
can escalate to yarn user and cannot escalate to root user, remove the
permission to escalate to yarn user from them.</p>
<ul>
<li><strong>Versions affected</strong>: 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, 3.3.0 to 3.3.1</li>
<li><strong>Fixed versions</strong>: 2.10.2, 3.2.3, 3.3.2</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Hideyuki Furue</li>
<li><strong>Reported Date</strong>: 2021/05/05</li>
<li><strong>Issue Announced</strong>: 2022/06/15 (<a href="https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2021-37404httpcvemitreorgcgi-bincvenamecginamecve-2021-37404-heap-buffer-overflow-in-libhdfs-native-library"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37404">CVE-2021-37404</a> Heap buffer overflow in libhdfs native library</h2>
<p>There is a potential heap buffer overflow in libhdfs native code.
Opening a file path provided by user without validation may result in
a denial of service or arbitrary code execution.</p>
<ul>
<li><strong>Versions affected</strong>: 2.9.0 to 2.10.1, 3.0.0 to 3.1.4, 3.2.0 to 3.2.2, 3.3.0 to 3.3.1</li>
<li><strong>Fixed versions</strong>: 2.10.2, 3.2.3, 3.3.2</li>
<li><strong>Impact</strong>: denial of service or arbitrary code execution</li>
<li><strong>Reporter</strong>: Igor Chervatyuk</li>
<li><strong>Reported Date</strong>: 2021/04/04</li>
<li><strong>Issue Announced</strong>: 2022/06/11 (<a href="https://lists.apache.org/thread/36k6f4s4ff97tgo4wl9681vtcp7dsg06">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2022-26612httpcvemitreorgcgi-bincvenamecginamecve-2022-26612-arbitrary-file-write-during-untar-on-windows"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26612">CVE-2022-26612</a> Arbitrary file write during untar on Windows</h2>
<p>In Apache Hadoop, The <code>unTar</code> function uses <code>unTarUsingJava</code> function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same <code>targetDirPath</code> check on Unix because of the <code>getCanonicalPath</code> call. However on Windows, <code>getCanonicalPath</code> doesn&rsquo;t resolve symbolic links, which bypasses the check. <code>unpackEntries</code> during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows.</p>
<p>Users of the affected versions should apply either of the following mitigations:</p>
<ul>
<li>Do not run any of the YARN daemons as a user possessing the permissions to create symlinks on Windows.</li>
<li>Do not use symlinks in the tar file.</li>
</ul>
<ul>
<li><strong>Versions affected</strong>: Versions below 3.2.3, 3.3.2</li>
<li><strong>Fixed versions</strong>: 3.2.3, 3.3.3, 3.4 onwards</li>
<li><strong>Impact</strong>: file write to arbitrary path in Windows</li>
<li><strong>Reporter</strong>: A member of GitHub Security Lab, <a href="https://github.com/JarLob">Jaroslav Lobačevski</a></li>
<li><strong>Reported Date</strong>: 2022/02/09</li>
<li><strong>Issue Announced</strong>: 2022/04/7 (<a href="https://lists.apache.org/thread/wps21pzjl1myxw23yb466y9yofv104yl">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2020-9492httpcvemitreorgcgi-bincvenamecginamecve-2020-9492-apache-hadoop-potential-privilege-escalation"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492">CVE-2020-9492</a> Apache Hadoop Potential privilege escalation</h2>
<p>WebHDFS client might send SPNEGO authorization header to remote URL
without proper verification. A crafty user can trigger services to
send server credentials to a webhdfs path for capturing the service
principal.</p>
<p>Users of the affected versions should apply either of the following mitigations:</p>
<ul>
<li>Set different http signature secrets and use dedicated hosts for each privileged impersonation service (such as HiveServer2).</li>
<li>Upgrade to 3.3.0, 3.2.2, 3.1.4, 2.10.1, or newer with TLS encryption enabled and configure dfs.http.policy to HTTPS_ONLY.</li>
</ul>
<ul>
<li><strong>Versions affected</strong>: 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0</li>
<li><strong>Fixed versions</strong>: 3.2.2, 3.1.4, 2.10.1</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Kevin Risden</li>
<li><strong>Reported Date</strong>: 2020/03/17</li>
<li><strong>Issue Announced</strong>: 2021/01/26 (<a href="https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-11764httpcvemitreorgcgi-bincvenamecginamecve-2018-11764-apache-hadoop-privilege-escalation-in-web-endpoint"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11764">CVE-2018-11764</a> Apache Hadoop Privilege escalation in web endpoint</h2>
<p>Web endpoint authentication check is broken. Authenticated users may
impersonate any user even if no proxy user is configured.</p>
<ul>
<li><strong>Versions affected</strong>: 3.0.0-alpha4, 3.0.0-beta1, 3.0.0</li>
<li><strong>Fixed versions</strong>: 3.0.1</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Daryn Sharp</li>
<li><strong>Reported Date</strong>: 2018/03/17</li>
<li><strong>Issue Announced</strong>: 2020/10/21 (<a href="https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-11765httpcvemitreorgcgi-bincvenamecginamecve-2018-11765-potential-information-disclosure-in-apache-hadoop-web-interfaces"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11765">CVE-2018-11765</a> Potential information disclosure in Apache Hadoop Web interfaces</h2>
<p>When Kerberos authentication is enabled and SPNEGO through HTTP is not enabled,
any users can access some servlets without authentication.</p>
<ul>
<li><strong>Versions affected</strong>: 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5</li>
<li><strong>Fixed versions</strong>: 3.0.1, 2.10.0</li>
<li><strong>Impact</strong>: information disclosure</li>
<li><strong>Reporter</strong>: Larry McCay (Discovered by Owen O&rsquo;Malley)</li>
<li><strong>Reported Date</strong>: 2018/03/11</li>
<li><strong>Issue Announced</strong>: 2020/09/28 (<a href="https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-11768httpcvemitreorgcgi-bincvenamecginamecve-2018-11768-apache-hadoop-hdfs-fsimage-corruption"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768">CVE-2018-11768</a> Apache Hadoop HDFS FSImage Corruption</h2>
<p>There is a mismatch in the size of the fields used to store user/group
information between memory and disk representation. This causes the user/group
information to be corrupted across storing in fsimage and reading back from
fsimage.</p>
<p>This vulnerability fix contains a fsimage layout change, so once the image is
saved in the new layout format you cannot go back to a version that doesn’t
support the newer layout. This means that once 2.7.x users upgraded to the
fixed version, they cannot downgrade to 2.7.x because there is no fixed version
in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the
vulnerability fix.</p>
<ul>
<li><strong>Versions affected</strong>: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4</li>
<li><strong>Fixed versions</strong>: 3.1.2, 2.9.2, 2.8.5</li>
<li><strong>Impact</strong>: information disclosure</li>
<li><strong>Reporter</strong>: Ekanth Sethuramalingam</li>
<li><strong>Reported Date</strong>: 2018/06/05</li>
<li><strong>Issue Announced</strong>: 2019/10/03 (<a href="https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-8029httpcvemitreorgcgi-bincvenamecginamecve-2018-8029-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029">CVE-2018-8029</a> Apache Hadoop Privilege escalation vulnerability</h2>
<p>A user who can escalate to yarn user can possibly run arbitrary
commands as root user.</p>
<ul>
<li><strong>Versions affected</strong>: 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4</li>
<li><strong>Fixed versions</strong>: 3.1.1, 2.9.2, 2.8.5</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Miklos Szegedi</li>
<li><strong>Reported Date</strong>: 2018/05/08</li>
<li><strong>Issue Announced</strong>: 2019/05/30 (<a href="https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-11767httpcvemitreorgcgi-bincvenamecginamecve-2018-11767-apache-hadoop-kms-acl-regression"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11767">CVE-2018-11767</a> Apache Hadoop KMS ACL regression</h2>
<p>After the security fix for CVE-2017-15713, KMS has an access control regression,
blocking users or granting access to users incorrectly, if the system
uses non-default groups mapping mechanisms such as LdapGroupsMapping,
CompositeGroupsMapping, or NullGroupsMapping.</p>
<ul>
<li><strong>Versions affected</strong>: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6</li>
<li><strong>Fixed versions</strong>: 2.9.2, 2.8.5, 2.7.7</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Wei-Chiu Chuang</li>
<li><strong>Reported Date</strong>: 2018/05/09</li>
<li><strong>Issue Announced</strong>: 2019/03/11 (<a href="https://lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-1296httpcvemitreorgcgi-bincvenamecginamecve-2018-1296-apache-hadoop-hdfs-permissive-listxattr-authorization"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1296">CVE-2018-1296</a> Apache Hadoop HDFS Permissive listXAttr Authorization</h2>
<p>HDFS exposes extended attribute key/value pairs during listXAttrs,
verifying only path-level search access to the directory rather than
path-level read permission to the referent. This affects features that
store sensitive data in extended attributes, such as HDFS encryption
secrets.</p>
<ul>
<li><strong>Versions affected</strong>: 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5</li>
<li><strong>Fixed versions</strong>: 3.0.1, 2.9.1, 2.8.4, 2.7.6</li>
<li><strong>Impact</strong>: information disclosure</li>
<li><strong>Reporter</strong>: Rushabh Shah</li>
<li><strong>Reported Date</strong>: 2018/02/09</li>
<li><strong>Issue Announced</strong>: 2019/01/24 (<a href="https://lists.apache.org/thread.html/752d5fe697ca6be6f472eabb1bcae7961a47d416e4013ac803a2ab2c@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-11766httpcvemitreorgcgi-bincvenamecginamecve-2018-11766-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11766">CVE-2018-11766</a> Apache Hadoop privilege escalation vulnerability</h2>
<p>In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is
incomplete. A user who can escalate to yarn user can possibly run arbitrary
commands as root user.</p>
<ul>
<li><strong>Versions affected</strong>: 2.7.4 to 2.7.6</li>
<li><strong>Fixed versions</strong>: 2.7.7</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Wilfred Spiegelenburg</li>
<li><strong>Reported Date</strong>: 2018/05/04</li>
<li><strong>Issue Announced</strong>: 2018/11/27 (<a href="https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h2 id="cve-2018-8009httpcvemitreorgcgi-bincvenamecginamecve-2018-8009-apache-hadoop-distributed-cache-archive-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009">CVE-2018-8009</a> Apache Hadoop distributed cache archive vulnerability</h2>
<p>Vulnerability allows a cluster user to publish a public
archive that can affect other files owned by the user running the YARN
NodeManager daemon. If the impacted files belong to another already
localized, public archive on the node then code can be injected into
the jobs of other cluster users using the public archive.</p>
<ul>
<li><strong>Versions affected</strong>: 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11</li>
<li><strong>Fixed versions</strong>: 3.1.1, 3.0.3, 2.9.2, 2.8.5, 2.7.7</li>
<li><strong>Impact</strong>: injection attack</li>
<li><strong>Credit</strong>: Snyk Security Research Team</li>
<li><strong>Reported Date</strong>: 2018/04/19</li>
<li><strong>Issue Announced</strong>: 2018/11/22 (<a href="https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li>
</ul>
<h2 id="cve-2016-6811httpcvemitreorgcgi-bincvenamecginamecve-2016-6811-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811">CVE-2016-6811</a> Apache Hadoop Privilege escalation vulnerability</h2>
<p>A user who can escalate to yarn user can possibly run arbitrary commands as root user.</p>
<ul>
<li><strong>Versions affected</strong>: 2.2.0 to 2.7.3</li>
<li><strong>Fixed versions</strong>: 2.7.4 or newer</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Freddie Rice</li>
<li><strong>Reported Date</strong>: 2016/07/06</li>
<li><strong>Issue Announced</strong>: 2018/05/01 (<a href="https://lists.apache.org/thread.html/ff3859a2188c3662240311acddba9cf97992b839792ec0a14d61b4e5@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li>
</ul>
<p>Note: The fix for this vulnerability is incomplete in Apache Hadoop 2.7.4 to 2.7.6 (CVE-2018-11766).</p>
<h2 id="cve-2017-15718httpcvemitreorgcgi-bincvenamecginamecve-2017-15718-apache-hadoop-yarn-nodemanager-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718">CVE-2017-15718</a> Apache Hadoop YARN NodeManager vulnerability</h2>
<p>In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete.
The YARN NodeManager can leak the password for credential store provider
used by the NodeManager to YARN Applications.</p>
<p>If you use the CredentialProvider feature to encrypt passwords used in
NodeManager configs, it may be possible for any Container launched
by that NodeManager to gain access to the encryption password.
The other passwords themselves are not directly exposed.</p>
<ul>
<li><strong>Versions affected</strong>: 2.7.3, 2.7.4</li>
<li><strong>Fixed versions</strong>: 2.7.5</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Vinayakumar B.</li>
<li><strong>Reported Date</strong>: 2017/09/18</li>
<li><strong>Issue Announced</strong>: 2018/01/24 (<a href="https://lists.apache.org/thread.html/23a277506bc0d85c1bbe5c0766ffe55e8c3923c8d6f58893b6966957@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li>
</ul>
<h2 id="cve-2017-15713httpcvemitreorgcgi-bincvenamecginamecve-2017-15713-apache-hadoop-mapreduce-job-history-server-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713">CVE-2017-15713</a> Apache Hadoop MapReduce job history server vulnerability</h2>
<p>Vulnerability allows a cluster user to expose private files
owned by the user running the MapReduce job history server process.
The malicious user can construct a configuration file containing XML
directives that reference sensitive files on the MapReduce job history
server host.</p>
<ul>
<li><strong>Versions affected</strong>: 3.0.0-alpha to 3.0.0-beta1, 2.8.0 to 2.8.2, 2.0.0-alpha to 2.7.4, 0.23.0 to 0.23.11</li>
<li><strong>Fixed versions</strong>: 3.0.0, 2.9.0, 2.8.3, 2.7.5</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Man Yue Mo of lgtm.com</li>
<li><strong>Reported Date</strong>: 2017/06/30</li>
<li><strong>Issue Announced</strong>: 2018/01/19 (<a href="https://lists.apache.org/thread.html/9e5d86d5792d04f8a3b458f735e63fa9bdfe28ff454de257a2e02f18@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li>
</ul>
<h2 id="cve-2017-3166httpcvemitreorgcgi-bincvenamecginamecve-2017-3166-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166">CVE-2017-3166</a> Apache Hadoop Privilege escalation vulnerability</h2>
<p>In a cluster where the YARN user has been granted access to all HDFS
encryption keys, if a file in an encryption zone with access permissions
that make it world readable is localized via YARN&rsquo;s localization mechanism,
e.g. via the MapReduce distributed cache, that file will be stored
in a world-readable location and shared freely with any application
that requests to localize that file, no matter who the application owner
is or whether that user should be allowed to access files from the
target encryption zone.</p>
<ul>
<li><strong>Versions affected</strong>: 3.0.0-alpha1 - 3.0.0-alpha3 , 2.7.0 to 2.7.3, 2.6.1-2.6.5</li>
<li><strong>Fixed versions</strong>: 3.0.0-alpha4, 2.8.0, 2.7.4</li>
<li><strong>Impact</strong>: privilege escalation</li>
<li><strong>Reporter</strong>: Luke Herbert</li>
<li><strong>Reported Date</strong>: 2016/11/18</li>
<li><strong>Issue Announced</strong>: 2017/11/08 (<a href="https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li>
</ul>
<h1 id="thirdparty-vulnerabilities">Thirdparty vulnerabilities</h1>
<p>The following section describes thirdparty vulnerabilities that may be of interest to Hadoop users. Please contact the respective project owners for details.</p>
<h2 id="cve-2021-44228httpscvemitreorgcgi-bincvenamecginamecve-2021-44228-log4shell-vulnerability"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a> Log4Shell Vulnerability</h2>
<p>It is understood that the log4shell vulnerability CVE-2021-44228 impacts log4j2. Hadoop, as of 3.3.x depends on log4j 1.x, which is <strong>NOT</strong> susceptible to the attack. Once we migrate over to log4j2, we will adopt a version that is not susceptible to the attack, too. Therefore, no ASF version of Hadoop has ever been vulnerable. Third party products and applications based on Hadoop <em>may</em> be vulnerable, please consult the vendor or the project owner.</p>
<ul>
<li><strong>Versions affected</strong>: N/A</li>
</ul>
<h2 id="cve-2021-4104httpscvemitreorgcgi-bincvenamecginamecve-2021-4104-log4shell-vulnerability"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104">CVE-2021-4104</a> Log4Shell Vulnerability</h2>
<p>JMSAppender in Log4j 1.2, used by all versions of Apache Hadoop, is vulnerable to the Log4Shell attack in a similar fashion to CVE-2021-44228. However, the JMSAppender is not the default configuration shipped in Hadoop. When JMSAppender is not enabled, Hadoop is not vulnerable to the attack.</p>
<p>To mitigate the risk, you can remove JMSAppender from the log4j-1.2.17.jar artifact yourself following the instructions in this <a href="http://slf4j.org/log4shell.html">link</a>.</p>
<ul>
<li><strong>Versions affected</strong>: N/A</li>
</ul>
</div>
<div class="container">
<footer class="footer container">
<div class="col-md-6">
<p>Apache Hadoop, Hadoop, Apache, the Apache feather logo,
and the Apache Hadoop project logo are either registered trademarks or trademarks of the Apache Software Foundation
in the United States and other countries</p>
<p>Copyright © 2006-2022 The Apache Software Foundation</p>
<p><a href="/privacy_policy.html">Privacy policy</a></p>
</div>
<div class="col-md-6">
<img class="img-responsive" src="/asf_logo_wide.png"/>
</div>
</footer>
</div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<script>window.jQuery || document.write('<script src="../../assets/js/vendor/jquery.min.js"><\/script>')</script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<script>
$(function() { $('table').addClass('table table-striped'); })
</script>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-7453027-1', 'auto');
ga('send', 'pageview');
}
</script>
</body>
</html>