Bug 2119084 (CVE-2022-25168)

Summary: CVE-2022-25168 hadoop: Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alcohan, asoldano, ataylor, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, chfoley, cmiranda, ctubbsii, darran.lofthouse, dbruscin, denis.arnaud_fedora, dfreiber, dkreling, dosoudil, drow, eglynn, extras-orphan, fjuma, fmongiar, gmalinko, gparvin, istudens, ivassile, iweiss, janstey, jburrell, jjoyce, jnethert, jochrist, jolee, jschatte, jscholz, jstastny, jwon, kvanderr, lgao, lhh, loleary, mburns, mgarciac, milleruntime, mmclaugh, mosmerov, msochure, msvehla, njean, nwallace, owatkins, pahickey, pantinor, pcongius, pdelbell, peholase, pesilva, pjindal, pmackay, rareddy, rhaigner, rkieley, rstancel, rstepani, smaestri, spinder, spower, stcannon, swoodman, theute, tom.jenkinson, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hadoop-commons 2.10.2, hadoop-commons 3.2.4, apache hadoop 3.3.3 Doc Type: ---
Doc Text:
A flaw was found in the hadoop-common package. This flaw allows an attacker to benefit from command injection using the org.apache.hadoop.fs.FileUtil.unTarUsingTar function.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2119086, 2119085    
Bug Blocks: 2115731    

Description Patrick Del Bello 2022-08-17 13:34:04 UTC 
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Comment 1 Patrick Del Bello 2022-08-17 13:34:36 UTC 
Created hadoop tracking bugs for this issue:

Affects: epel-all [bug 2119086]
Affects: fedora-all [bug 2119085]