CVE-2022-25168: Apache Hadoop Command Injection Vulnerability
Recently, Apache Hadoop fixed a command injection vulnerability. Since Apache Hadoop’s FileUtil.unTar API does not escape the input filename before passing it to the shell, an attacker could exploit this vulnerability to inject arbitrary commands and thus achieve remote code execution. Track as CVE-2022-25168, the flaw severity is important. The security researcher Kostya Kortchinsky has been credited with reporting this flaw.
The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage. Rather than rely on hardware to deliver high-availability, the library itself is designed to detect and handle failures at the application layer, so delivering a highly-available service on top of a cluster of computers, each of which may be prone to failures.
“Apache Hadoop’s FileUtil.unTar(File, File) API does not escape thei nput file name before being passed to the shell. An attacker cani nject arbitrary commands.
This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user.I t has been used in Hadoop 2.x for yarn localization, which doese nable remote code execution.
It is used in Apache Spark, from the SQL command ADD ARCHIVE. As theA DD ARCHIVE command adds new binaries to the classpath, being able toe xecute shell scripts does not confer new permissions to the caller,” read the security bulletin.
Affected version
- 0.0 <= Apache Hadoop <= 2.10.1
- 0.0-alpha <= Apache Hadoop <= 3.2.3
- 3.0 <= Apache Hadoop <= 3.3.2
Unaffected
- Apache Hadoop 2.10.2
- Apache Hadoop 3.2.4
- Apache Hadoop 3.3.3
At present, the Apache Hadoop has fixed the CVE-2022-25168 vulnerability in the latest version, please install the unaffected version as soon as possible.
