Privilege Escalation Vulnerability in Apache Hadoop by The Apache Software Foundation
CVE-2017-7669

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 5 June 2017

Summary

In specific versions of Apache Hadoop, particularly 2.8.0 and alpha releases of 3.0.0, the LinuxContainerExecutor is designed to run Docker commands with root privileges. However, the implementation suffers from a lack of adequate input validation, allowing authenticated users to execute arbitrary commands as the root user when the Docker feature is enabled. This vulnerability highlights significant security concerns for installations running these versions, as it may lead to unauthorized access and control over system resources.

Affected Version(s)

Apache Hadoop 2.8.0

Apache Hadoop 3.0.0-alpha1 and 3.0.0-alpha2

References

http://www.securityfocus.com/bid/98795

vdb-entryx_refsource_BID

https://mail-archives.apache.org/mod_mbox/hadoop-user/201...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 5, 2017
Vulnerability Reserved
Apr 11, 2017