CVE-2021-33036
N/A
N/A
Summary
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Hadoop | 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1 | affected |
Weaknesses
- CWE-264: CWE-264 Permissions, Privileges, and Access Controls
- CWE-24: CWE-24 Path Traversal: '../filedir'
Workarounds
If you are using the affected version of Apache Hadoop and some users can escalate to yarn user and cannot escalate to root user, remove the permission to escalate to yarn user from them.
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5
- http://www.openwall.com/lists/oss-security/2022/06/15/2
- https://security.netapp.com/advisory/ntap-20220722-0003/
References
- https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5
- http://www.openwall.com/lists/oss-security/2022/06/15/2
- https://security.netapp.com/advisory/ntap-20220722-0003/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.