CVE-2022-26612

Name of the Vulnerable Software and Affected Versions Apache Hadoop versions prior to 3.2.3

Description The issue is related to the unTar function in Apache Hadoop, which uses the unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. This can lead to a TAR entry creating a symlink under the expected extraction directory, pointing to an external directory. A subsequent TAR entry may then extract an arbitrary file into the external directory using the symlink name. On Windows, the getCanonicalPath call does not resolve symbolic links, bypassing the targetDirPath check and allowing writing outside the expected base directory.

Recommendations For Apache Hadoop versions prior to 3.2.3, update to Apache Hadoop 3.2.3 to address the issue. As a temporary workaround, consider restricting the use of the unTar function on Windows systems until the update is applied.