Arbitrary file write in FileUtil#unpackEntries on Windows
CVE-2022-26612

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 7 April 2022

Summary

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

Affected Version(s)

Apache Hadoop Windows < 3.2.3

Apache Hadoop Windows 3.3.1

Apache Hadoop Windows 3.3.2

References

https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220519-0004/

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 7, 2022
Vulnerability Reserved
Mar 7, 2022

Credit

This issue was reported by a member of GitHub Security Lab, Jaroslav Lobačevski (https://github.com/JarLob).