CVE-2022-25168

Name of the Vulnerable Software and Affected Versions Apache Hadoop versions prior to 2.10.2 Apache Hadoop versions prior to 3.2.4 Apache Hadoop versions prior to 3.3.3

Description The issue is related to the FileUtil.unTar(File, File) API in Apache Hadoop, which does not escape the input file name before being passed to the shell, allowing an attacker to inject arbitrary commands. This API is used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only run by a local user, and in Hadoop 2.x for yarn localization, enabling remote code execution. It is also used in Apache Spark from the SQL command ADD ARCHIVE, but executing shell scripts does not confer new permissions to the caller.

Recommendations To resolve the issue, users should upgrade to Apache Hadoop 2.10.2 or upper. To resolve the issue, users should upgrade to Apache Hadoop 3.2.4 or upper. To resolve the issue, users should upgrade to Apache Hadoop 3.3.3 or upper. As a temporary workaround, consider restricting the use of the FileUtil.unTar(File, File) API until a patch is available. Avoid using the SQL command ADD ARCHIVE in Apache Spark until the issue is resolved.