In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content.
This is because, on unix-like systems, the system temporary directory is
shared between all local users. As such, files written in this directory,
without setting the correct posix permissions explicitly, may be viewable
by all other local users.
Apache Hadoop Common
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-26612
### Vulnerable Library - hadoop-common-3.1.1.jarApache Hadoop Common
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Dependency Hierarchy: - :x: **hadoop-common-3.1.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Publish Date: 2022-04-07
URL: CVE-2022-26612
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612
Release Date: 2022-04-07
Fix Resolution: 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25168
### Vulnerable Library - hadoop-common-3.1.1.jarApache Hadoop Common
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Dependency Hierarchy: - :x: **hadoop-common-3.1.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Publish Date: 2022-08-04
URL: CVE-2022-25168
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Release Date: 2022-08-04
Fix Resolution: 3.2.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-23454
### Vulnerable Library - hadoop-common-3.1.1.jarApache Hadoop Common
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
Dependency Hierarchy: - :x: **hadoop-common-3.1.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.
Publish Date: 2024-09-25
URL: CVE-2024-23454
### CVSS 3 Score Details (4.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-23454
Release Date: 2024-09-25
Fix Resolution: 3.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.