PT-2022-10193 · Apache · Apache Hadoop

Hideyuki Furue

Published

2022-06-15

Updated

2022-10-27

CVE-2021-33036

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Hadoop versions 2.2.0 through 2.10.1 Apache Hadoop versions 3.0.0-alpha1 through 3.1.4 Apache Hadoop versions 3.2.0 through 3.2.2 Apache Hadoop versions 3.3.0 through 3.3.1

Description A user who can escalate to yarn user can possibly run arbitrary commands as root user.

Recommendations For Apache Hadoop versions 2.2.0 through 2.10.1, upgrade to Apache Hadoop 2.10.2 or higher. For Apache Hadoop versions 3.0.0-alpha1 through 3.1.4, upgrade to Apache Hadoop 3.2.3 or higher. For Apache Hadoop versions 3.2.0 through 3.2.2, upgrade to Apache Hadoop 3.2.3 or higher. For Apache Hadoop versions 3.3.0 through 3.3.1, upgrade to Apache Hadoop 3.3.2 or higher.

Fix

Deserialization of Untrusted Data

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-24CWE-22CWE-264

Related Identifiers

CVE-2021-33036

GHSA-58JX-F5RF-QGQF

OESA-2022-2016

Affected Products

Apache Hadoop

PT-2022-10193 · Apache · Apache Hadoop

CVE-2021-33036

Weakness Enumeration

Related Identifiers

Affected Products

References · 13