Heap buffer overflow in libhdfs native library
CVE-2021-37404

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 13 June 2022

Summary

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Affected Version(s)

Apache Hadoop 2.9.0 to 2.10.1

Apache Hadoop 3.0.0 to 3.1.4

Apache Hadoop 3.2.0 to 3.2.2

References

https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vj...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220715-0007/

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 13, 2022
Vulnerability Reserved
Jul 23, 2021

Credit

This issue was discovered by Igor Chervatyuk.