CVE-2021-25642 – org.apache.hadoop:hadoop-yarn-server

Package

Manager: maven
Name: org.apache.hadoop:hadoop-yarn-server
Vulnerable Version: >=0 <2.10.2 || >=3.0.0 <3.2.4 || >=3.3.0 <3.3.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00443 pctl0.6243

Details

Deserialization of Untrusted Data in Apache Hadoop YARN ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

Metadata

Created: 2022-08-26T00:03:33Z
Modified: 2022-09-08T14:13:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-rr2m-gffv-mgrj
Finding: F096
Auto approve: 1