2127281 – (CVE-2021-25642) CVE-2021-25642 Hadoop: YARN remote code execution in ZKConfigurationStore of capacity scheduler

Bug 2127281 (CVE-2021-25642) - CVE-2021-25642 Hadoop: YARN remote code execution in ZKConfigurationStore of capacity scheduler

Summary: CVE-2021-25642 Hadoop: YARN remote code execution in ZKConfigurationStore of ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-25642
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2122666
TreeView+	depends on / blocked

Reported:	2022-09-15 20:03 UTC by Chess Hazlett
Modified:	2022-12-08 09:14 UTC (History)
CC List:	18 users (show)
Fixed In Version:	Hadoop 2.10.2, Hadoop 3.2.4, Hadoop 3.3.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-27 14:27:42 UTC
Embargoed:

Attachments	(Terms of Use)

Description Chess Hazlett 2022-09-15 20:03:06 UTC

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this.

Comment 1 Product Security DevOps Team 2022-11-27 14:27:40 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25642

Note You need to log in before you can comment on or make changes to this bug.