CVE-2021-25642: Apache Hadoop Command Execution Vulnerability

Recently, Apache Hadoop fixed a command injection vulnerability. This bug is caused by a flaw when ZKConfigurationStore is used, an attacker could exploit this vulnerability to inject arbitrary commands and thus achieve remote code execution. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands as a YARN user on the system. Track as CVE-2021-25642, the flaw severity is important. Security researcher Liu Ximing has been credited with reporting this flaw.

The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage. Rather than rely on hardware to deliver high availability, the library itself is designed to detect and handle failures at the application layer, so delivering a highly-available service on top of a cluster of computers, each of which may be prone to failures.

“ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this.” read the security bulletin.

Affected version

• Apache Hadoop version 2.9.0 to 2.10.1
• Apache Hadoop version 3.0.0-alpha to 3.2.3
• Apache Hadoop version 3.3.0 to 3.3.3

Unaffected

• Apache Hadoop 2.10.2
• Apache Hadoop 3.2.4
• Apache Hadoop 3.3.4 or later

At present, Apache Hadoop has fixed the CVE-2021-25642 vulnerability in the latest version, please install the unaffected version as soon as possible.