[hadoop-site] branch asf-site updated: Add CVE-2021-25642 description

Thu, 25 Aug 2022 04:45:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

iwasakims pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/hadoop-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 6bd9de8393 Add CVE-2021-25642 description
6bd9de8393 is described below

commit 6bd9de839398bcc8b471968e74d67748328cfcd6
Author: Masatake Iwasaki <iwasak...@apache.org>
AuthorDate: Thu Aug 25 11:44:28 2022 +0000

    Add CVE-2021-25642 description
---
 content/cve_list.html | 13 +++++++++++++
 content/index.html    |  2 +-
 content/index.xml     |  2 +-
 src/cve_list.md       | 14 ++++++++++++++
 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/content/cve_list.html b/content/cve_list.html
index 86c21add10..f513f15512 100644
--- a/content/cve_list.html
+++ b/content/cve_list.html
@@ -169,6 +169,19 @@ One paragraph summary goes here. Don't need nuts-and-bolts 
detail, just enough f
 - **Reported Date**:
 - **Issue Announced**:
 -->
+<h2 
id="cve-2021-25642httpcvemitreorgcgi-bincvenamecginamecve-2021-25642-apache-hadoop-yarn-remote-code-execution-in-zkconfigurationstore-of-capacity-scheduler"><a
 
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25642";>CVE-2021-25642</a>
 Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity 
scheduler</h2>
+<p>ZKConfigurationStore which is optionally used by CapacityScheduler of
+Apache Hadoop YARN deserializes data obtained from ZooKeeper without
+validation. An attacker having access to ZooKeeper can run arbitrary
+commands as YARN user by exploiting this.</p>
+<ul>
+<li><strong>Versions affected</strong>: 2.9.0 to 2.10.1, 3.0.0-alpha to 3.2.3, 
3.3.0 to 3.3.3</li>
+<li><strong>Fixed versions</strong>: 2.10.2, 3.2.4, 3.3.4</li>
+<li><strong>Impact</strong>: remote command execution</li>
+<li><strong>Reporter</strong>: Liu Ximing</li>
+<li><strong>Reported Date</strong>: 2020/12/16</li>
+<li><strong>Issue Announced</strong>: 2022/08/25 (<a 
href="https://lists.apache.org/thread/w1nf92148xcnxl5ys0owtokf9y0l9zsv";>general@hadoop</a>)</li>
+</ul>
 <h2 
id="cve-2022-25168httpcvemitreorgcgi-bincvenamecginamecve-2022-25168-command-injection-in-orgapachehadoopfsfileutiluntarusingtar"><a
 
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168";>CVE-2022-25168</a>
 Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar</h2>
 <p>Apache Hadoop&rsquo;s FileUtil.unTar(File, File) API does not escape the
 input file name before being passed to the shell. An attacker can
diff --git a/content/index.html b/content/index.html
index 2dd6fce9c2..ea843bf80f 100644
--- a/content/index.html
+++ b/content/index.html
@@ -3,7 +3,7 @@
 <!DOCTYPE html>
 <html lang="en">
   <head>
-       <meta name="generator" content="Hugo 0.101.0" />
+       <meta name="generator" content="Hugo 0.100.2" />
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1">
diff --git a/content/index.xml b/content/index.xml
index 3a3ffea727..8a7895076f 100644
--- a/content/index.xml
+++ b/content/index.xml
@@ -1412,7 +1412,7 @@ The Apache Hadoop software library is a framework that 
allows for the distribute
       <guid>https://hadoop.apache.org/cve_list.html</guid>
       <description>This page lists security fixes that the Hadoop PMC felt 
warranted a CVE. If you think something is missing from this list or if you 
think the set of impacted or fixed versions is incomplete then please ask on 
the Security list.
 CVEs are presented in most-recent-first order of announcement.
-CVE-2022-25168 Command injection in 
org.apache.hadoop.fs.FileUtil.unTarUsingTar Apache Hadoop&amp;rsquo;s 
FileUtil.unTar(File, File) API does not escape the input file name before being 
passed to the shell.</description>
+CVE-2021-25642 Apache Hadoop YARN remote code execution in 
ZKConfigurationStore of capacity scheduler ZKConfigurationStore which is 
optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data 
obtained from ZooKeeper without validation.</description>
     </item>
     
     <item>
diff --git a/src/cve_list.md b/src/cve_list.md
index 968ce2f8ef..be08758987 100644
--- a/src/cve_list.md
+++ b/src/cve_list.md
@@ -37,6 +37,20 @@ One paragraph summary goes here. Don't need nuts-and-bolts 
detail, just enough f
 - **Issue Announced**:
 -->
 
+## 
[CVE-2021-25642](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25642) 
Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity 
scheduler
+
+ZKConfigurationStore which is optionally used by CapacityScheduler of
+Apache Hadoop YARN deserializes data obtained from ZooKeeper without
+validation. An attacker having access to ZooKeeper can run arbitrary
+commands as YARN user by exploiting this.
+
+- **Versions affected**: 2.9.0 to 2.10.1, 3.0.0-alpha to 3.2.3, 3.3.0 to 3.3.3
+- **Fixed versions**: 2.10.2, 3.2.4, 3.3.4
+- **Impact**: remote command execution
+- **Reporter**: Liu Ximing
+- **Reported Date**: 2020/12/16
+- **Issue Announced**: 2022/08/25 
([general@hadoop](https://lists.apache.org/thread/w1nf92148xcnxl5ys0owtokf9y0l9zsv))
+
 ## 
[CVE-2022-25168](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168) 
Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar
 
 Apache Hadoop's FileUtil.unTar(File, File) API does not escape the


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org

Reply via email to