CVE-2021-25642

Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler

EPSS 1.8%CWE-502

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

25 Aug 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

Affected products

Apache Software Foundation · Apache Hadoop

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150 https://security.netapp.com/advisory/ntap-20221201-0003/