[
https://issues.apache.org/jira/browse/YARN-9718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16923705#comment-16923705
]
Hudson commented on YARN-9718:
------------------------------
FAILURE: Integrated in Jenkins build Hadoop-trunk-Commit #17233 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/17233/])
YARN-9718. Fixed yarn.service.am.java.opts shell injection. Contributed
(billie: rev 2e2e5401f297545181323b126a69eaa2239afb02)
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/client/ServiceClient.java
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/exceptions/RestApiErrorMessages.java
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/test/java/org/apache/hadoop/yarn/service/utils/TestServiceApiUtil.java
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/ServiceApiUtil.java
> Yarn REST API, services endpoint remote command ejection
> --------------------------------------------------------
>
> Key: YARN-9718
> URL: https://issues.apache.org/jira/browse/YARN-9718
> Project: Hadoop YARN
> Issue Type: Bug
> Affects Versions: 3.1.0, 3.2.0, 3.1.1, 3.1.2
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-9718.001.patch, YARN-9718.002.patch,
> YARN-9718.003.patch, YARN-9718.004.patch
>
>
> Email from Oskars Vegeris:
>
> During internal infrastructure testing it was discovered that the Hadoop Yarn
> REST endpoint /app/v1/services contains a command injection vulnerability.
>
> The services endpoint's normal use-case is for launching containers (e.g.
> Docker images/apps), however by providing an argument with special shell
> characters it is possible to execute arbitrary commands on the Host server -
> this would allow to escalate privileges and access.
>
> The command injection is possible in the parameter for JVM options -
> "yarn.service.am.java.opts". It's possible to enter arbitrary shell commands
> by using sub-shell syntax `cmd` or $(cmd). No shell character filtering is
> performed.
>
> The "launch_command" which needs to be provided is meant for the container
> and if it's not being run in privileged mode or with special options, host OS
> should not be accessible.
>
> I've attached a minimal request sample with an injected 'ping' command. The
> endpoint can also be found via UI @
> [http://yarn-resource-manager:8088/ui2/#/yarn-services]
>
> If no auth, or "simple auth" (username) is enabled, commands can be executed
> on the host OS. I know commands can also be ran by the "new-application"
> feature, however this is clearly not meant to be a way to touch the host OS.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
