{"containers": {"cna": {"affected": [{"product": "Apache Hadoop", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1"}]}], "credits": [{"lang": "en", "value": "Apache Hadoop would like to thank Hideyuki Furue for reporting and fixing this issue."}], "descriptions": [{"lang": "en", "value": "In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher."}], "metrics": [{"other": {"content": {"other": "Critical"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-264", "description": "CWE-264 Permissions, Privileges, and Access Controls", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-24", "description": "CWE-24 Path Traversal: '../filedir'", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-22T18:07:41", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5"}, {"name": "[oss-security] 20220615 CVE-2021-33036: Apache Hadoop Privilege escalation vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/06/15/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220722-0003/"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Hadoop Privilege escalation vulnerability", "workarounds": [{"lang": "en", "value": "If you are using the affected version of Apache Hadoop and some users can escalate to yarn user and cannot escalate to root user, remove the permission to escalate to yarn user from them."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-33036", "STATE": "PUBLIC", "TITLE": "Apache Hadoop Privilege escalation vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Hadoop", "version": {"version_data": [{"version_affected": "=", "version_value": "2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Hadoop would like to thank Hideyuki Furue for reporting and fixing this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "Critical"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-264 Permissions, Privileges, and Access Controls"}]}, {"description": [{"lang": "eng", "value": "CWE-24 Path Traversal: '../filedir'"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5", "refsource": "MISC", "url": "https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5"}, {"name": "[oss-security] 20220615 CVE-2021-33036: Apache Hadoop Privilege escalation vulnerability", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/06/15/2"}, {"name": "https://security.netapp.com/advisory/ntap-20220722-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220722-0003/"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "If you are using the affected version of Apache Hadoop and some users can escalate to yarn user and cannot escalate to root user, remove the permission to escalate to yarn user from them."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:19.282Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5"}, {"name": "[oss-security] 20220615 CVE-2021-33036: Apache Hadoop Privilege escalation vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/06/15/2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220722-0003/"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-33036", "datePublished": "2022-06-15T14:25:14", "dateReserved": "2021-05-17T00:00:00", "dateUpdated": "2024-08-03T23:42:19.282Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C7086C6-7F7A-4D1B-8168-B8D22DEBC0B8", "versionEndExcluding": "2.10.2", "versionStartIncluding": "2.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "A815DF9F-7E9E-4AC2-BDA6-6171B01BF778", "versionEndExcluding": "3.2.3", "versionStartIncluding": "3.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "95BECC24-F7DC-4052-9B82-5B78005C3210", "versionEndExcluding": "3.3.2", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "C33530ED-6093-4B4C-AFDB-4DB5EB5878E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "38BCF20D-169E-4847-8880-A223467B8639", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "336DADCF-3302-423D-BFDC-72C031AD1CAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "689B619C-04C4-43C6-B103-DDAAA9C9CC9C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher."}, {"lang": "es", "value": "En Apache Hadoop versiones 2.2.0 a 2.10.1, 3.0.0-alpha1 a 3.1.4, 3.2.0 a 3.2.2 y 3.3.0 a 3.3.1, un usuario que puede escalar a usuario hilo puede ejecutar posiblemente comandos arbitrarios como usuario root. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.3, 3.3.2 o superior"}], "id": "CVE-2021-33036", "lastModified": "2022-10-27T16:30:17.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-15T15:15:07.973", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/06/15/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220722-0003/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-24"}, {"lang": "en", "value": "CWE-264"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "hadoop: privilege escalation via yarn user", "id": "2102826", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2102826"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.", "A flaw was found in Hadoop Yarn. This flaw allows an attacker to benefit from permissions, escalate to a yarn user and run arbitrary commands as root."], "name": "CVE-2021-33036", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat JBoss Data Grid 7"}], "public_date": "2022-06-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-33036\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33036\nhttps://github.com/advisories/GHSA-58jx-f5rf-qgqf"], "threat_severity": "Moderate", "upstream_fix": "Apache Hadoop 2.10.2, Apache Hadoop 3.2.3, Apache Hadoop 3.3.2"}