Apache Hadoop Privilege escalation vulnerability
CVE-2021-33036

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 15 June 2022

Summary

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Affected Version(s)

Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1

References

https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/06/15/2

mailing-listx_refsource_MLIST

https://security.netapp.com/advisory/ntap-20220722-0003/

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 15, 2022
Vulnerability Reserved
May 17, 2021

Credit

Apache Hadoop would like to thank Hideyuki Furue for reporting and fixing this issue.