Bug 1795321 (CVE-2018-8029)

Summary: CVE-2018-8029 hadoop: a user who can escalate to yarn user can possibly run arbitrary commands as root user
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, bchilds, bigdata-qe-bugs, bkearney, bmontgom, chazlett, ctubbsii, denis.arnaud_fedora, drieden, eboyd, eparis, extras-orphan, ggaughan, hvyas, janstey, jburrell, jochrist, jokerman, jolee, jschatte, jstastny, jwon, matt, mcooper, milleruntime, nstielau, pjindal, puebele, rhs-bugs, sd-operator-metering, sisharma, sponnaga, tflannag, tlestach, tmielke, vbellur, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Hadoop in versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4. A user who can escalate to a yarn user can possibly run arbitrary commands as root user. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-28 09:50:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1795323    
Bug Blocks: 1795324    

Description Guilherme de Almeida Suckevicz 2020-01-27 17:04:37 UTC 
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Reference:
https://lists.apache.org/thread.html/3d6831c3893cd27b6850aea2feff7d536888286d588e703c6ffd2e82@%3Cuser.hadoop.apache.org%3E
Comment 1 Guilherme de Almeida Suckevicz 2020-01-27 17:08:04 UTC 
Created hadoop tracking bugs for this issue:

Affects: fedora-all [bug 1795323]
Comment 2 Paramvir jindal 2020-01-28 07:44:17 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 3 Mark Cooper 2020-01-29 06:39:14 UTC 
The container openshift4/ose-metering-hadoop is packaged with OpenShift 4.x and does not contain a vulnerable version of Hadoop (3.1.1).
Comment 4 Hardik Vyas 2020-02-07 11:40:47 UTC 
rhs-hadoop is a GlusterFS Hadoop Plug-in which provides Hadoop FileSystem support for GlusterFS, and is different from actual apache hadoop. Also, rhs-hadoop is no more supported, as support for Hortonworks Data Platform (HDP) on Red Hat Gluster Storage integrated using the Hadoop Plug-In is deprecated.
Comment 5 Mark Cooper 2020-02-12 05:15:26 UTC 
Further the openshift4/ose-metering-hadoop container does not run yarn in any resource/job management or privileged role (like normal Apache Hadoop). Instead included for is HDFS support.
Comment 7 Yadnyawalk Tale 2020-02-28 07:43:06 UTC 
Hadoop is used to build satellite-doc-indexes, i.e. to build lucene index files to search documentation. Not able to find Hadoop and Yarn combination on Satellite 5.8, marking it as a not affected.
Comment 8 Product Security DevOps Team 2020-02-28 09:50:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-8029