CVE-2023-26031: Critical Apache Hadoop Privilege Escalation Vulnerability

In the realm of big data, Apache Hadoop stands as a towering giant, a software framework that harnesses the power of distributed computing to process and analyze massive datasets. However, a recently discovered vulnerability, CVE-2023-26031, poses a significant threat to the security of Hadoop deployments, allowing local users to gain root privileges and potentially compromise sensitive data.

The Root of the Vulnerability

The vulnerability resides in the relative library resolution mechanism of the container-executor binary in Apache Hadoop versions 3.3.1 to 3.3.4 on Linux systems. This mechanism allows for the loading of shared libraries (.so files) from a specific path, which, in this case, includes the “/lib/native/” directory.

Exploiting the Vulnerability: Gaining Root Access

An attacker can exploit this vulnerability by crafting a malicious library and placing it within a path accessible to the affected Hadoop installation. When the container-executor binary is invoked, it will load the malicious library, granting the attacker root privileges on the system.

Remote Access Potential

The CVE-2023-26031 vulnerability extends beyond local exploitation. If the YARN cluster accepts work from remote, authenticated users, and these users’ submitted jobs are executed on the physical host rather than in containers, the vulnerability can be exploited to gain remote root privileges.

Identifying Vulnerable Systems

To determine whether a Hadoop installation is vulnerable, one can utilize the readelf command to examine the RUNPATH or RPATH value of the container-executor binary. If either of these values contains the relative path “./lib/native/”, the system is at risk.

Remediation Strategies

Several remediation strategies can effectively address this vulnerability:

  1. Upgrade to Apache Hadoop 3.3.5: This is the most straightforward and recommended approach, as it resolves the underlying issue.

  2. Disable container-executor: If Yarn Secure Containers are not required, removing execute permissions from the container-executor binary, changing its ownership from root, or simply deleting it will effectively mitigate the vulnerability.

  3. Replace container-executor binary: As a temporary measure, if Yarn Secure Containers are required on a vulnerable release and immediate upgrading is not feasible, replacing the container-executor binary with that of the 3.3.5 release will temporarily patch the vulnerability.