PT-2022-9679 · Apache · Apache Hadoop
Liu Ximing
·
Published
2022-08-25
·
Updated
2023-02-10
·
CVE-2021-25642
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Hadoop versions prior to 2.10.2
Apache Hadoop versions prior to 3.2.4
Apache Hadoop versions prior to 3.3.4
Description
The ZKConfigurationStore, optionally used by CapacityScheduler of Apache Hadoop YARN, deserializes data from ZooKeeper without validation, allowing an attacker with access to ZooKeeper to run arbitrary commands as the YARN user.
Recommendations
For versions prior to 2.10.2, upgrade to Apache Hadoop 2.10.2 or later.
For versions prior to 3.2.4, upgrade to Apache Hadoop 3.2.4 or later.
For versions prior to 3.3.4, upgrade to Apache Hadoop 3.3.4 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Hadoop