<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] hadoop 2.7.6 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13531">13531</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] hadoop 2.7.6 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2017-15713, CVE-2018-11768, CVE-2018-1296, CVE-2018-8029, CVE-2020-9492, CVE-2021-33036, CVE-2022-25168,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>e.kosachev@rosalinux.ru, s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package hadoop version 2.7.6
INFO (CVEs are): hadoop 2.7.6
cves found
CVE-2017-15713
Desc: Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before
2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose
private files owned by the user running the MapReduce job history server
process. The malicious user can construct a configuration file containing XML
directives that reference sensitive files on the MapReduce job history server
host.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15713">https://nvd.nist.gov/vuln/detail/CVE-2017-15713</a>
Severity: MEDIUM
CVE-2018-11768
Desc: In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1,
and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across
storing in fsimage and reading back from fsimage.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-11768">https://nvd.nist.gov/vuln/detail/CVE-2018-11768</a>
Severity: HIGH
CVE-2018-1296
Desc: In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0
to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs,
verifying only path-level search access to the directory rather than path-level
read permission to the referent.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1296">https://nvd.nist.gov/vuln/detail/CVE-2018-1296</a>
Severity: HIGH
CVE-2018-8029
Desc: In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and
2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary
commands as root user.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-8029">https://nvd.nist.gov/vuln/detail/CVE-2018-8029</a>
Severity: HIGH
CVE-2020-9492
Desc: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha
to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL
without proper verification.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9492">https://nvd.nist.gov/vuln/detail/CVE-2020-9492</a>
Severity: HIGH
CVE-2021-33036
Desc: In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2,
and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run
arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2,
3.2.3, 3.3.2 or higher.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-33036">https://nvd.nist.gov/vuln/detail/CVE-2021-33036</a>
Severity: HIGH
CVE-2022-25168
Desc: Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input
file name before being passed to the shell. An attacker can inject arbitrary
commands. This is only used in Hadoop 3.3
InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local
user. It has been used in Hadoop 2.x for yarn localization, which does enable
remote code execution. It is used in Apache Spark, from the SQL command ADD
ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being
able to execute shell scripts does not confer new permissions to the caller.
SPARK-38305. "Check existence of file before untarring/zipping", which is
included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed,
regardless of which version of the hadoop libraries are in use. Users should
upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including
HADOOP-18136).
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25168">https://nvd.nist.gov/vuln/detail/CVE-2022-25168</a>
Severity: CRITICAL</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>