Apache Hadoop 3.0.1 Remote Code Execution Vulnerability

Summary

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Credit:

The information has been provided by Akira Ajisaka

The original article can be found at: https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E


Details

Apache Hadoop is prone to a remote privilege-escalation vulnerability. 
A remote attacker can exploit this issue to execute arbitrary command with root privileges. 
Apache Hadoop 3.0.0-alpha1 through 3.1.0, 2.9.0 through 2.9.1, 2.2.0 through 2.8.4 are vulnerable.

Vulnerable Systems:

  • Apache Hadoop 3.0.1
  • Apache Hadoop 2.9.1
  • Apache Hadoop 2.9
  • Apache Hadoop 2.8.4
  • Apache Hadoop 2.8.3
  • Apache Hadoop 2.8.2
  • Apache Hadoop 2.8
  • Apache Hadoop 2.7.7
  • Apache Hadoop 2.7.6
  • Apache Hadoop 2.7.5
  • Apache Hadoop 2.7.4
  • Apache Hadoop 2.7.2
  • Apache Hadoop 2.7.1
  • Apache Hadoop 2.7
  • Apache Hadoop 2.6.4
  • Apache Hadoop 2.6.3
  • Apache Hadoop 2.6
  • Apache Hadoop 3.0.0-beta1
  • Apache Hadoop 3.0.0-alpha3
  • Apache Hadoop 3.0.0-alpha2
  • Apache Hadoop 3.0.0-alpha1
  • Apache Hadoop 3.0.0-alpha
  • Apache Hadoop 2.7.3
  • Apache Hadoop 2.7.0-3
  • Apache Hadoop 2.6.5
  • Apache Hadoop 2.5.2
  • Apache Hadoop 2.5.1
  • Apache Hadoop 2.5.0
  • Apache Hadoop 2.4.1
  • Apache Hadoop 2.3.0
  • Apache Hadoop 2.2.0

CVE Information:

CVE-2019-8029

Disclosure Timeline:
Publish Date:05/30/2019

Categories: News