{"containers": {"cna": {"affected": [{"product": "Apache Hadoop", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.0.0 to 2.10.1"}, {"status": "affected", "version": "3.0.0-alpha to 3.2.3"}, {"status": "affected", "version": "3.3.0 to 3.3.2"}]}], "credits": [{"lang": "en", "value": "Apache Hadoop would like to thank Kostya Kortchinsky for reporting this issue."}], "descriptions": [{"lang": "en", "value": "Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136)."}], "metrics": [{"other": {"content": {"other": "important"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-06-26T10:18:58.078Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220915-0007/"}], "source": {"discovery": "UNKNOWN"}, "title": "Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar", "workarounds": [{"lang": "en", "value": "Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136)."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-25168", "STATE": "PUBLIC", "TITLE": "Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Hadoop", "version": {"version_data": [{"version_value": "2.0.0 to 2.10.1"}, {"version_value": "3.0.0-alpha to 3.2.3"}, {"version_value": "3.3.0 to 3.3.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Hadoop would like to thank Kostya Kortchinsky for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136)."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "important"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130", "refsource": "MISC", "url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130"}, {"name": "https://security.netapp.com/advisory/ntap-20220915-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220915-0007/"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136)."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:05.786Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220915-0007/"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-25168", "datePublished": "2022-08-04T14:30:17", "dateReserved": "2022-02-15T00:00:00", "dateUpdated": "2024-08-03T04:36:05.786Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "689ABB50-04DB-4449-8750-CBE9346F19AA", "versionEndIncluding": "2.10.1", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2D7FBED-F7AB-4BA8-BD85-3638AF05A445", "versionEndIncluding": "3.2.3", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF92F83A-F36C-4DED-8807-1292704B4AB8", "versionEndIncluding": "3.3.2", "versionStartIncluding": "3.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136)."}, {"lang": "es", "value": "La API FileUtil.unTar(File, File) de Apache Hadoop no escapa el nombre del archivo de entrada antes de pasarlo al shell. Un atacante puede inyectar comandos arbitrarios. Esto s\u00f3lo es usado en Hadoop versi\u00f3n 3.3 InMemoryAliasMap.completeBootstrapTransfer, que s\u00f3lo es ejecutado un usuario local. Se ha usado en Hadoop versi\u00f3n 2.x para la localizaci\u00f3n de hilos, que s\u00ed permite una ejecuci\u00f3n de c\u00f3digo remota . Es usado en Apache Spark, desde el comando SQL ADD ARCHIVE. Como el comando ADD ARCHIVE a\u00f1ade nuevos binarios al classpath, el hecho de poder ejecutar scripts de shell no confiere nuevos permisos a quien lo llama. SPARK-38305. \"Comprobar la existencia de un archivo antes de desarchivar/comprimir\", que es incluida en versiones 3.3.0, 3.1.4 y 3.2.2, impide la ejecuci\u00f3n de comandos de shell, independientemente de la versi\u00f3n de las bibliotecas de Hadoop que se est\u00e9 usando. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.4, 3.3.3 o superior (incluyendo HADOOP-18136)"}], "id": "CVE-2022-25168", "lastModified": "2023-06-26T11:15:09.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-04T15:15:08.343", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220915-0007/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "hadoop: Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar", "id": "2119084", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119084"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-88", "details": ["Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).", "A flaw was found in the hadoop-common package. This flaw allows an attacker to benefit from command injection using the org.apache.hadoop.fs.FileUtil.unTarUsingTar function."], "name": "CVE-2022-25168", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/volsync-mover-rclone-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "impact": "low", "package_name": "hadoop", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "impact": "low", "package_name": "hadoop", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "impact": "low", "package_name": "hadoop", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "hadoop", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "hadoop-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "hadoop", "product_name": "streams for Apache Kafka"}], "public_date": "2022-08-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-25168\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25168\nhttps://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130"], "threat_severity": "Important", "upstream_fix": "apache hadoop 3.3.3, hadoop-commons 2.10.2, hadoop-commons 3.2.4"}