QwikSec

Security Database

CVE

CWE

Training

CVE-2021-25642

Published: Aug 25, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

Vendor	Product	Versions
Apache Software Foundation	Apache Hadoop	affected `2.9.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.3, and 3.3.0 to 3.3.3`

Weaknesses (CWE)

References

https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150

https://security.netapp.com/advisory/ntap-20221201-0003/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.