[Bugs] [Bug 13531] New: [CVE 21] hadoop 2.7.6 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 23:20:07 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13531

          Platform: 2021.1
            Bug ID: 13531
           Summary: [CVE 21] hadoop 2.7.6  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2017-15713, CVE-2018-11768, CVE-2018-1296,
                    CVE-2018-8029, CVE-2020-9492, CVE-2021-33036,
                    CVE-2022-25168,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package hadoop version 2.7.6

INFO (CVEs are): hadoop 2.7.6
 cves found
CVE-2017-15713
Desc: Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before
2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose
private files owned by the user running the MapReduce job history server
process. The malicious user can construct a configuration file containing XML
directives that reference sensitive files on the MapReduce job history server
host.
Link: https://nvd.nist.gov/vuln/detail/CVE-2017-15713
Severity: MEDIUM
CVE-2018-11768
Desc: In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1,
and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across
storing in fsimage and reading back from fsimage.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-11768
Severity: HIGH
CVE-2018-1296
Desc: In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0
to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs,
verifying only path-level search access to the directory rather than path-level
read permission to the referent.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1296
Severity: HIGH
CVE-2018-8029
Desc: In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and
2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary
commands as root user.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-8029
Severity: HIGH
CVE-2020-9492
Desc: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha
to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL
without proper verification.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-9492
Severity: HIGH
CVE-2021-33036
Desc: In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2,
and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run
arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2,
3.2.3, 3.3.2 or higher.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-33036
Severity: HIGH
CVE-2022-25168
Desc: Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input
file name before being passed to the shell. An attacker can inject arbitrary
commands. This is only used in Hadoop 3.3
InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local
user. It has been used in Hadoop 2.x for yarn localization, which does enable
remote code execution. It is used in Apache Spark, from the SQL command ADD
ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being
able to execute shell scripts does not confer new permissions to the caller.
SPARK-38305. "Check existence of file before untarring/zipping", which is
included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed,
regardless of which version of the hadoop libraries are in use. Users should
upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including
HADOOP-18136).
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-25168
Severity: CRITICAL

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/96ef5f01/attachment-0001.html>

Подробная информация о списке рассылки Bugs