CVE-2021-25642

CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

8.8HIGH

EPSS

2.7%

top 14.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop Apache Software Foundation Apache Hadoop

Timeline

PublishedAug 25

Latest updateAug 26

Description

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-yarn-server3.0.0 — 3.2.4+2

▶NVDapache/hadoop2.9.0 — 2.10.2+2

▶CVEListV5apache_software_foundation/apache_hadoop2.9.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.3, and 3.3.0 to 3.3.3

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in Apache Hadoop YARN↗2022-08-26

▶

OSV

Deserialization of Untrusted Data in Apache Hadoop YARN↗2022-08-26

▶

CVEList

Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler↗2022-08-25

▶

📋Vendor Advisories

Red Hat

Hadoop: YARN remote code execution in ZKConfigurationStore of capacity scheduler↗2022-08-25

▶

Apache

Apache hadoop: CVE-2021-25642↗

▶