Bug 1795321 (CVE-2018-8029) - CVE-2018-8029 hadoop: a user who can escalate to yarn user can possibly run arbitrary commands as root user
Summary: CVE-2018-8029 hadoop: a user who can escalate to yarn user can possibly run a...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-8029
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1795323
Blocks: 1795324
TreeView+ depends on / blocked
 
Reported: 2020-01-27 17:04 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-08-24 16:13 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Hadoop in versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4. A user who can escalate to a yarn user can possibly run arbitrary commands as root user. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-02-28 09:50:08 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-01-27 17:04:37 UTC 
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Reference:
https://lists.apache.org/thread.html/3d6831c3893cd27b6850aea2feff7d536888286d588e703c6ffd2e82@%3Cuser.hadoop.apache.org%3E
Comment 1 Guilherme de Almeida Suckevicz 2020-01-27 17:08:04 UTC 
Created hadoop tracking bugs for this issue:

Affects: fedora-all [bug 1795323]
Comment 2 Paramvir jindal 2020-01-28 07:44:17 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 3 Mark Cooper 2020-01-29 06:39:14 UTC 
The container openshift4/ose-metering-hadoop is packaged with OpenShift 4.x and does not contain a vulnerable version of Hadoop (3.1.1).
Comment 4 Hardik Vyas 2020-02-07 11:40:47 UTC 
rhs-hadoop is a GlusterFS Hadoop Plug-in which provides Hadoop FileSystem support for GlusterFS, and is different from actual apache hadoop. Also, rhs-hadoop is no more supported, as support for Hortonworks Data Platform (HDP) on Red Hat Gluster Storage integrated using the Hadoop Plug-In is deprecated.
Comment 5 Mark Cooper 2020-02-12 05:15:26 UTC 
Further the openshift4/ose-metering-hadoop container does not run yarn in any resource/job management or privileged role (like normal Apache Hadoop). Instead included for is HDFS support.
Comment 7 Yadnyawalk Tale 2020-02-28 07:43:06 UTC 
Hadoop is used to build satellite-doc-indexes, i.e. to build lucene index files to search documentation. Not able to find Hadoop and Yarn combination on Satellite 5.8, marking it as a not affected.
Comment 8 Product Security DevOps Team 2020-02-28 09:50:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-8029
Note You need to log in before you can comment on or make changes to this bug.