Deserialization of Untrusted Data in Apache Hadoop
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-25642 |
| CWE-ID | CWE-502 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Hadoop Server applications / Frameworks for developing and running applications |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Deserialization of Untrusted Data
EUVDB-ID: #VU110016
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-25642
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. A remote user with an access to ZooKeeper can run arbitrary commands as YARN user by exploiting this vulnerability.
MitigationInstall update from vendor's website.
Vulnerable software versionsHadoop: 2.9.0 - 3.3.3
CPE2.3- cpe:2.3:a:apache_foundation:hadoop:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:hadoop:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:hadoop:2.9.2:*:*:*:*:*:*:*
https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150
https://security.netapp.com/advisory/ntap-20221201-0003/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
