Описание
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
A flaw was found in the hadoop-common package. This flaw allows an attacker to benefit from command injection using the org.apache.hadoop.fs.FileUtil.unTarUsingTar function.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | hadoop | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/volsync-mover-rclone-rhel8 | Not affected | ||
| Red Hat AMQ Broker 7 | hadoop | Not affected | ||
| Red Hat Data Grid 8 | hadoop | Not affected | ||
| Red Hat Fuse 7 | hadoop | Not affected | ||
| Red Hat Integration Camel K 1 | hadoop | Fix deferred | ||
| Red Hat Integration Camel Quarkus 1 | hadoop | Fix deferred | ||
| Red Hat Integration Data Virtualisation Operator | hadoop | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | hadoop | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | hadoop | Out of support scope |
Показывать по
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the inp ...
Уязвимость реализации интерфейса API FileUtil.unTar(File, File) платформы для распределенной разработки и выполнения программ Apache Hadoop, позволяющая нарушителю выполнить произвольные команды
9.8 Critical
CVSS3