CVE-2018-8009

Name of the Vulnerable Software and Affected Versions: Apache Hadoop versions 3.1.0, 3.0.0-alpha through 3.0.2, 2.9.0 through 2.9.1, 2.8.0 through 2.8.4, 2.0.0-alpha through 2.7.6, 0.23.0 through 0.23.11

Description: The issue exists due to incorrect restriction of the directory path name with limited access in the YARN NodeManager component of the Apache Hadoop platform. This allows a remote attacker to bypass existing security restrictions and inject malicious code into a zip file. The vulnerability is exploitable in places that accept a zip file via the zip slip vulnerability.

Recommendations: For Apache Hadoop versions 3.1.0, 3.0.0-alpha through 3.0.2, 2.9.0 through 2.9.1, 2.8.0 through 2.8.4, 2.0.0-alpha through 2.7.6, 0.23.0 through 0.23.11, consider restricting access to zip files until a patch is available. As a temporary workaround, consider disabling the acceptance of zip files in the YARN NodeManager component until a patch is available.