Notice for other vulnerabilities - E-MapReduce - Alibaba Cloud Documentation Center

This topic is a notice for other vulnerabilities.

Unauthorized-access vulnerabilities in Apache Hadoop and Hadoop YARN ResourceManager
YARN ZKConfigurationStore deserialization vulnerability in code execution in Apache Hadoop (CVE-2021-25642)

Unauthorized-access vulnerabilities in Apache Hadoop and Hadoop YARN ResourceManager

Hadoop is a distributed system framework. An unauthorized-access vulnerability exists in the default Hadoop configuration. Attackers can exploit this vulnerability to run code from a remote server.

Solutions:

When you configure security group rules, do not set Authorization Object to 0.0.0.0/0 (IPv4) or ::/0 (IPv6).
For more information about how to create a security group rule, see Add a security group rule.
Prohibit anonymous access. Add or modify the following configuration item in the /etc/emr/hadoop-conf/core-site.xml configuration file, and then restart the HDFS and YARN services.
```
<property>
  <name>hadoop.http.authentication.simple.anonymous.allowed</name>
  <value>false</value>
</property>
```
Turn on Kerberos Authentication when you create an E-MapReduce (EMR) cluster.

YARN ZKConfigurationStore deserialization vulnerability in code execution in Apache Hadoop (CVE-2021-25642)

YARN is the default resource manager and scheduling system of Apache Hadoop. ZKConfigurationStore is a component that can be used by YARN capacity schedulers to obtain data from ZooKeeper. ZKConfigurationStore can deserialize the data that is obtained from ZooKeeper without verification. If the ZKConfigurationStore component is enabled, attackers can exploit this vulnerability to run arbitrary commands.

Important

The default value of the yarn.scheduler.configuration.store.class parameter of the YARN service in an EMR cluster is file. This indicates that the ZKConfigurationStore component is not enabled.

Solution: Upgrade Hadoop to 2.10.2, 3.2.4, 3.3.4, or later.