Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ycjJtLWdmZnYtbWdyas4AAuea
Deserialization of Untrusted Data in Apache Hadoop YARN
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
Permalink: https://github.com/advisories/GHSA-rr2m-gffv-mgrjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycjJtLWdmZnYtbWdyas4AAuea
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-rr2m-gffv-mgrj, CVE-2021-25642
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-25642
- https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150
- https://github.com/apache/hadoop/commit/5e2f4339fadc88f20543915fc9b0aaeaf4f9e7bf
- https://security.netapp.com/advisory/ntap-20221201-0003/
- https://github.com/advisories/GHSA-rr2m-gffv-mgrj
Blast Radius: 21.8
Affected Packages
maven:org.apache.hadoop:hadoop-yarn-server
Dependent packages: 13Dependent repositories: 302
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.4, >= 3.0.0, < 3.2.4, < 2.10.2
Fixed in: 3.3.4, 3.2.4, 2.10.2
All affected versions: 0.23.1, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 0.23.11, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.3.3
All unaffected versions: 2.10.2, 3.2.4, 3.3.4, 3.3.5, 3.3.6, 3.4.0