This is an automated email from the ASF dual-hosted git repository.
gaurava pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/hadoop-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 7dc40cee7d Add details of CVE-2022-26612 (#38)
7dc40cee7d is described below
commit 7dc40cee7df673f7a96b1fdb2f40e027ffc14ea3
Author: Gautham B A <[email protected]>
AuthorDate: Wed Apr 20 23:26:33 2022 +0530
Add details of CVE-2022-26612 (#38)
* Added the details of
CVE-2022-26612 to
cve_list page.
---
content/cve_list.html | 15 +++++++++++++++
content/index.xml | 2 +-
src/cve_list.md | 15 +++++++++++++++
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/content/cve_list.html b/content/cve_list.html
index 4797153e88..501eb6cbb6 100644
--- a/content/cve_list.html
+++ b/content/cve_list.html
@@ -169,6 +169,21 @@ One paragraph summary goes here. Don't need nuts-and-bolts
detail, just enough f
- **Reported Date**:
- **Issue Announced**:
-->
+<h2
id="cve-2022-26612httpcvemitreorgcgi-bincvenamecginamecve-2022-26612-arbitrary-file-write-during-untar-on-windows"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26612";>CVE-2022-26612</a>
Arbitrary file write during untar on Windows</h2>
+<p>In Apache Hadoop, The <code>unTar</code> function uses
<code>unTarUsingJava</code> function on Windows and the built-in tar utility on
Unix and other OSes. As a result, a TAR entry may create a symlink under the
expected extraction directory which points to an external directory. A
subsequent TAR entry may extract an arbitrary file into the external directory
using the symlink name. This however would be caught by the same
<code>targetDirPath</code> check on Unix because of the <code [...]
+<p>Users of the affected versions should apply either of the following
mitigations:</p>
+<ul>
+<li>Do not run any of the YARN daemons as a user possessing the permissions to
create symlinks on Windows.</li>
+<li>Do not use symlinks in the tar file.</li>
+</ul>
+<ul>
+<li><strong>Versions affected</strong>: Versions below 3.2.3, 3.3.2</li>
+<li><strong>Fixed versions</strong>: 3.2.3, 3.3.3, 3.4 onwards</li>
+<li><strong>Impact</strong>: file write to arbitrary path in Windows</li>
+<li><strong>Reporter</strong>: A member of GitHub Security Lab, <a
href="https://github.com/JarLob";>Jaroslav Lobačevski</a></li>
+<li><strong>Reported Date</strong>: 2022/02/09</li>
+<li><strong>Issue Announced</strong>: 2022/04/7 (<a
href="https://lists.apache.org/thread/wps21pzjl1myxw23yb466y9yofv104yl";>general@hadoop</a>)</li>
+</ul>
<h2
id="cve-2020-9492httpcvemitreorgcgi-bincvenamecginamecve-2020-9492-apache-hadoop-potential-privilege-escalation"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492";>CVE-2020-9492</a>
Apache Hadoop Potential privilege escalation</h2>
<p>WebHDFS client might send SPNEGO authorization header to remote URL
without proper verification. A crafty user can trigger services to
diff --git a/content/index.xml b/content/index.xml
index b9136fa5e6..ddabf6368c 100644
--- a/content/index.xml
+++ b/content/index.xml
@@ -1365,7 +1365,7 @@ The Apache Hadoop software library is a framework that
allows for the distribute
<guid>https://hadoop.apache.org/cve_list.html</guid>
<description>This page lists security fixes that the Hadoop PMC felt
warranted a CVE. If you think something is missing from this list or if you
think the set of impacted or fixed versions is incomplete then please ask on
the Security list.
CVEs are presented in most-recent-first order of announcement.
-CVE-2020-9492 Apache Hadoop Potential privilege escalation WebHDFS client
might send SPNEGO authorization header to remote URL without proper
verification. A crafty user can trigger services to send server credentials to
a webhdfs path for capturing the service principal.</description>
+CVE-2022-26612 Arbitrary file write during untar on Windows In Apache Hadoop,
The unTar function uses unTarUsingJava function on Windows and the built-in tar
utility on Unix and other OSes.</description>
</item>
<item>
diff --git a/src/cve_list.md b/src/cve_list.md
index 40b17dbfdd..bd7961fbfd 100644
--- a/src/cve_list.md
+++ b/src/cve_list.md
@@ -37,6 +37,21 @@ One paragraph summary goes here. Don't need nuts-and-bolts
detail, just enough f
- **Issue Announced**:
-->
+##
[CVE-2022-26612](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26612)
Arbitrary file write during untar on Windows
+
+In Apache Hadoop, The `unTar` function uses `unTarUsingJava` function on
Windows and the built-in tar utility on Unix and other OSes. As a result, a
TAR entry may create a symlink under the expected extraction directory which
points to an external directory. A subsequent TAR entry may extract an
arbitrary file into the external directory using the symlink name. This however
would be caught by the same `targetDirPath` check on Unix because of the
`getCanonicalPath` call. However on Windo [...]
+
+Users of the affected versions should apply either of the following
mitigations:
+* Do not run any of the YARN daemons as a user possessing the permissions to
create symlinks on Windows.
+* Do not use symlinks in the tar file.
+
+- **Versions affected**: Versions below 3.2.3, 3.3.2
+- **Fixed versions**: 3.2.3, 3.3.3, 3.4 onwards
+- **Impact**: file write to arbitrary path in Windows
+- **Reporter**: A member of GitHub Security Lab, [Jaroslav
Lobačevski](https://github.com/JarLob)
+- **Reported Date**: 2022/02/09
+- **Issue Announced**: 2022/04/7
([general@hadoop](https://lists.apache.org/thread/wps21pzjl1myxw23yb466y9yofv104yl))
+
##
[CVE-2020-9492](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492)
Apache Hadoop Potential privilege escalation
WebHDFS client might send SPNEGO authorization header to remote URL
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
