Описание
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
Отчет
No Red Hat products are affected by this vulnerability. While some do use Hadoop YARN, none provide the affected Capacity Scheduler component.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | hadoop-yarn | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | hadoop-yarn | Not affected | ||
| Red Hat Fuse 7 | hadoop-yarn | Not affected | ||
| Red Hat Integration Camel K 1 | hadoop-yarn | Not affected | ||
| Red Hat Integration Camel Quarkus 1 | hadoop-yarn | Not affected | ||
| Red Hat JBoss Data Grid 7 | hadoop-yarn | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
ZKConfigurationStore which is optionally used by CapacityScheduler of ...
Deserialization of Untrusted Data in Apache Hadoop YARN
EPSS
7.5 High
CVSS3