IBM Support

Technical Service Bulletin (2022-566) (Security) - CVE-2022-25168 - Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar

Flashes (Alerts)


Abstract

The FileUtil.unTar(File, File) API of Apache Hadoop (Hadoop) does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands.

Content

This is only used in Hadoop 3.3 through InMemoryAliasMap.completeBootstrapTransfer, which is run by a local user.
FileUtil.unTar API has been used in Hadoop 2.x for YARN localization, which enables Remote Code Execution (RCE).
FileUtil.unTar API is used in Apache Spark (Spark) with the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller.
SPARK-38305 “Check existence of file before untarring/zipping”, which is included in Hadoop 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the Hadoop libraries are in use.

Severity: 

Components affected:

  • Apache Hadoop
  • Apache Spark

Products affected: 

  • Cloudera Data Platform (CDP) Private Cloud Base
  • CDP Public Cloud
  • Cloudera Distribution including Apache Hadoop (CDH)
  • Hortonworks Data Platform (HDP)

Releases affected: 

  • CDP Private Cloud Base 7.1.7 and lower versions
  • CDP Public Cloud with Cloudera Runtime 7.2.14 and lower versions
  • CDH 6.x, 5.x (already end of support)
  • HDP 2.x, 3.x (already end of support)

Users affected: 

  • Users of the impacted releases

Impact: 

  • Attackers can execute the SparkSQL ADD ARCHIVE command to perform RCE (they can also run shell scripts and hence RCE).
  • In CDH5 and HDP2, attackers can submit malicious shell commands to YARN Resource Manager during Application submission which get executed during YARN localization phase.

Action required:

  • Upgrade to the CPD Private Cloud Base or CDP Public Cloud versions below.

Addressed in release/refresh/patch:   

  • CDP Private Cloud Base 7.1.7 Service Pack (SP) 1
  • CDP Public Cloud 7.2.15

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGPXR","label":"Cloudera Data Platform Private Cloud Plus Add-on with IBM"},"ARM Category":[{"code":"a8m3p0000006ws8AAA","label":"OpenSource DB-\u003ECloudera"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4LSK","label":"Cloudera Data Platform Private Cloud Base with IBM"},"ARM Category":[{"code":"a8m3p0000006ws8AAA","label":"OpenSource DB-\u003ECloudera"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 December 2022

UID

ibm16851707

Page Feedback