Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler
CVE-2021-25642

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 25 August 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

Affected Version(s)

Apache Hadoop 2.9.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.3, and 3.3.0 to 3.3.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-25642
Created by safe3s

References

https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58...

https://security.netapp.com/advisory/ntap-20221201-0003/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Aug 26, 2022
👾
Exploit known to exist
Aug 26, 2022
Vulnerability published
Aug 25, 2022
Vulnerability Reserved
Jan 20, 2021

Credit

Apache Hadoop would like to thank Liu Ximing for reporting this issue.