Apache Hadoop is a software framework that supports data-intensive distributed applications and is released with the Apache License 2.0. Recently, security researchers have detected a vulnerability in Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2. The vulnerability stems from inadequate input validation. The vulnerability allows an attacker to run commands with root permissions, which is highly risky.
See the following for more information about the vulnerability.
Apache Hadoop remote privilege escalation vulnerability
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, LinuxContainerExecutor does not effectively validate the input, thus allowing a user to run the docker command with root permissions. When the docker function is enabled, the authenticated user can run the command with root permissions.
Condition and method of exploitation
- Apache Hadoop 2.8.0
- Apache Hadoop 3.0.0-alpha1
- Apache Hadoop 3.0.0-alpha2
Check whether any affected version of Apache Hadoop is used.
How to fix or mitigate
Upgrade Apache Hadoop 2.8.0 to 2.8.1.
Upgrade Apache Hadoop 3.0.0-alpha1 and Hadoop 3.0.0-alpha2 to Hadoop 3.0.0-alpha3 or later.