This is an automated email from the ASF dual-hosted git repository.
iwasakims pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/hadoop-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 53f231de83 Add CVE-2023-26031 description
53f231de83 is described below
commit 53f231de83603b4c3034a941bd19113925bbe413
Author: Masatake Iwasaki <iwasak...@apache.org>
AuthorDate: Thu Nov 16 14:12:14 2023 +0900
Add CVE-2023-26031 description
---
content/cve_list.html | 28 ++++++++++++++++++++++++++++
content/index.html | 2 +-
content/index.xml | 2 +-
src/cve_list.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 81 insertions(+), 2 deletions(-)
diff --git a/content/cve_list.html b/content/cve_list.html
index 852bcd6ef1..802ccd9855 100644
--- a/content/cve_list.html
+++ b/content/cve_list.html
@@ -171,6 +171,34 @@ One paragraph summary goes here. Don't need nuts-and-bolts
detail, just enough f
- **Reported Date**:
- **Issue Announced**:
-->
+<h2
id="cve-2023-26031httpcvemitreorgcgi-bincvenamecginamecve-2023-26031-privilege-escalation-in-apache-haoop-yarn-container-executor-binary-on-linux-systems"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26031";>CVE-2023-26031</a>
Privilege escalation in Apache Haoop Yarn container-executor binary on Linux
systems</h2>
+<p>Relative library resolution in linux container-executor binary in Apache
Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the
YARN cluster is accepting work from remote (authenticated) users, this MAY
permit remote users to gain root privileges.</p>
+<p>Hadoop 3.3.0 updated the <a
href="https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html";>YARN
Secure Containers</a> to add a feature for executing user-submitted
applications in isolated linux containers.</p>
+<p>The native binary HADOOP_HOME/bin/container-executor is used to launch
these containers; it must be owned by root and have the suid bit set in order
for the YARN processes to run the containers as the specific users submitting
the jobs.</p>
+<p>The patch <a
href="https://issues.apache.org/jira/browse/YARN-10495";>YARN-10495</a>
“make the rpath of container-executor configurable” modified the
library loading path for loading .so files from <code>$ORIGIN/</code> to
<code>$ORIGIN/:../lib/native/</code>. This is the a path through which
libcrypto.so is located. Thus it is is possible for a user with reduced
privileges to install a malicious libcrypto library into a path to which they
have write access, invoke the cont [...]
+If the YARN cluster is accepting work from remote (authenticated) users, and
these users’ submitted job are executed in the physical host, rather than
a container, then the CVE permits remote users to gain root privileges.</p>
+<p>The fix for the vulnerability is to revert the change, which is done in <a
href="https://issues.apache.org/jira/browse/YARN-11441";>YARN-11441</a>,
“Revert YARN-10495”. This patch is in hadoop-3.3.5.</p>
+<p>To determine whether a version of container-executor is vulnerable, use the
readelf command. If the RUNPATH or RPATH value contains the relative path
<code>./lib/native/</code> then it is at risk</p>
+<pre tabindex="0"><code>$ readelf -d container-executor|grep
'RUNPATH\|RPATH'
+0x000000000000001d (RUNPATH) Library runpath:
[$ORIGIN/:../lib/native/]
+</code></pre><p>If it does not, then it is safe:</p>
+<pre tabindex="0"><code>$ readelf -d container-executor|grep
'RUNPATH\|RPATH'
+0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/]
+</code></pre><p>For an at-risk version of container-executor to enable
privilege escalation, the owner must be root and the suid bit must be set</p>
+<pre tabindex="0"><code>$ ls -laF /opt/hadoop/bin/container-executor
+---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor
+</code></pre><p>A safe installation lacks the suid bit; ideally is also not
owned by root.</p>
+<pre tabindex="0"><code>$ ls -laF /opt/hadoop/bin/container-executor
+-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor
+</code></pre><p>This configuration does not support Yarn Secure Containers,
but all other hadoop services, including YARN job execution outside secure
containers continue to work.</p>
+<ul>
+<li><strong>Versions affected</strong>: 3.3.1 to 3.3.4</li>
+<li><strong>Fixed versions</strong>: 3.3.5</li>
+<li><strong>Impact</strong>: privilege escalation</li>
+<li><strong>Reporter</strong>: Esa Hiltunen, Mikko Kortelainen</li>
+<li><strong>Reported Date</strong>: 2022/07/13</li>
+<li><strong>Issue Announced</strong>: 2023/11/16 (<a
href="https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r";>general@hadoop</a>)</li>
+</ul>
<h2
id="cve-2021-25642httpcvemitreorgcgi-bincvenamecginamecve-2021-25642-apache-hadoop-yarn-remote-code-execution-in-zkconfigurationstore-of-capacity-scheduler"><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25642";>CVE-2021-25642</a>
Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity
scheduler</h2>
<p>ZKConfigurationStore which is optionally used by CapacityScheduler of
Apache Hadoop YARN deserializes data obtained from ZooKeeper without
diff --git a/content/index.html b/content/index.html
index 6ef5783533..d03373ce67 100644
--- a/content/index.html
+++ b/content/index.html
@@ -3,7 +3,7 @@
<!DOCTYPE html>
<html lang="en">
<head>
- <meta name="generator" content="Hugo 0.108.0">
+ <meta name="generator" content="Hugo 0.111.3">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
diff --git a/content/index.xml b/content/index.xml
index 2995a199c6..822aa9e6a9 100644
--- a/content/index.xml
+++ b/content/index.xml
@@ -1436,7 +1436,7 @@ The Apache Hadoop software library is a framework that
allows for the distribute
<guid>https://hadoop.apache.org/cve_list.html</guid>
<description>This page lists security fixes that the Hadoop PMC felt
warranted a CVE. If you think something is missing from this list or if you
think the set of impacted or fixed versions is incomplete then please ask on
the Security list.
CVEs are presented in most-recent-first order of announcement.
-CVE-2021-25642 Apache Hadoop YARN remote code execution in
ZKConfigurationStore of capacity scheduler ZKConfigurationStore which is
optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data
obtained from ZooKeeper without validation.</description>
+CVE-2023-26031 Privilege escalation in Apache Haoop Yarn container-executor
binary on Linux systems Relative library resolution in linux container-executor
binary in Apache Hadoop 3.</description>
</item>
<item>
diff --git a/src/cve_list.md b/src/cve_list.md
index be08758987..5b85406df9 100644
--- a/src/cve_list.md
+++ b/src/cve_list.md
@@ -37,6 +37,57 @@ One paragraph summary goes here. Don't need nuts-and-bolts
detail, just enough f
- **Issue Announced**:
-->
+##
[CVE-2023-26031](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26031)
Privilege escalation in Apache Haoop Yarn container-executor binary on Linux
systems
+
+Relative library resolution in linux container-executor binary in Apache
Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the
YARN cluster is accepting work from remote (authenticated) users, this MAY
permit remote users to gain root privileges.
+
+Hadoop 3.3.0 updated the [YARN Secure
Containers](https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html)
to add a feature for executing user-submitted applications in isolated linux
containers.
+
+The native binary HADOOP_HOME/bin/container-executor is used to launch these
containers; it must be owned by root and have the suid bit set in order for the
YARN processes to run the containers as the specific users submitting the jobs.
+
+The patch [YARN-10495](https://issues.apache.org/jira/browse/YARN-10495) "make
the rpath of container-executor configurable" modified the library loading path
for loading .so files from `$ORIGIN/` to `$ORIGIN/:../lib/native/`. This is the
a path through which libcrypto.so is located. Thus it is is possible for a user
with reduced privileges to install a malicious libcrypto library into a path to
which they have write access, invoke the container-executor command, and have
their modified [...]
+If the YARN cluster is accepting work from remote (authenticated) users, and
these users' submitted job are executed in the physical host, rather than a
container, then the CVE permits remote users to gain root privileges.
+
+The fix for the vulnerability is to revert the change, which is done in
[YARN-11441](https://issues.apache.org/jira/browse/YARN-11441), "Revert
YARN-10495". This patch is in hadoop-3.3.5.
+
+To determine whether a version of container-executor is vulnerable, use the
readelf command. If the RUNPATH or RPATH value contains the relative path
`./lib/native/` then it is at risk
+
+```
+$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
+0x000000000000001d (RUNPATH) Library runpath:
[$ORIGIN/:../lib/native/]
+```
+
+If it does not, then it is safe:
+
+```
+$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
+0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/]
+```
+
+For an at-risk version of container-executor to enable privilege escalation,
the owner must be root and the suid bit must be set
+
+```
+$ ls -laF /opt/hadoop/bin/container-executor
+---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor
+```
+
+A safe installation lacks the suid bit; ideally is also not owned by root.
+
+```
+$ ls -laF /opt/hadoop/bin/container-executor
+-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor
+
+```
+
+This configuration does not support Yarn Secure Containers, but all other
hadoop services, including YARN job execution outside secure containers
continue to work.
+
+- **Versions affected**: 3.3.1 to 3.3.4
+- **Fixed versions**: 3.3.5
+- **Impact**: privilege escalation
+- **Reporter**: Esa Hiltunen, Mikko Kortelainen
+- **Reported Date**: 2022/07/13
+- **Issue Announced**: 2023/11/16
([general@hadoop](https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r))
+
##
[CVE-2021-25642](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25642)
Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity
scheduler
ZKConfigurationStore which is optionally used by CapacityScheduler of
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org
