#VU110016 Deserialization of Untrusted Data in Hadoop - CVE-2021-25642
Published: June 2, 2025
Vulnerability identifier: #VU110016
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-25642
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Hadoop
Hadoop
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. A remote user with an access to ZooKeeper can run arbitrary commands as YARN user by exploiting this vulnerability.
Remediation
Install updates from vendor's website.