CVE-2021-33036

Summary

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Hadoop2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1affected

Weaknesses

  • CWE-264: CWE-264 Permissions, Privileges, and Access Controls
  • CWE-24: CWE-24 Path Traversal: '../filedir'

Workarounds

If you are using the affected version of Apache Hadoop and some users can escalate to yarn user and cannot escalate to root user, remove the permission to escalate to yarn user from them.

ADP Enrichment

CVE Program Container

Additional References

References