Apache Hadoop spins injection vulnerability YARN

The “Zip Slip” vulnerability that first emerged in June has claimed yet another victim – the Apache Hadoop YARN NodeManager daemon.

Originally, Apache’s Akira Ajisaka disclosed the bug here. Zip Slip affects all Apache Hadoop versions except 3.1.1, 3.0.3, 2.8.5 and 2.7.7, as well as JBoss Fuse 6.0 and 7.0.

In the Hadoop case, as well as the NodeManager daemon, the vulnerability affects implementations that use public cryptoarchives in the distributed cache.

According to the disclosure, the bug “allows a cluster user to publish a public archive that can affect other files owned by the user running the YARN NodeManager daemon. If the impacted files belong to another already localized, public archive on the node then code can be injected into the jobs of other cluster users using the public archive.”

The bug effects literally any code that unpacks compressed archives.

Attackers therefore can exploit inadequate filename sanitation that allows them to set the unpacked file’s destination to an existing folder or file on the target system.

The attacker’s file could therefore overwrite existing data, anywhere on a system: “That would allow a miscreant to inject arbitrary commands in script files, or change executables, to do nefarious things.”

Apache had already mitigated Zip Slip in another package in June.

Fixing YARN was harder, it seems, since the organisation’s CVE list entry said it was first notified of the issue in April.

It’s been rough lately for YARN, with Netscout revealing its role as a vector for Mirai attacks earlier this week.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.