[jira] [Updated] (HADOOP-18136) Verify FileUtils.unTar() handling of missing .tar files: Fixes CVE-2022-25168

[Steve Loughran (Jira)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-18136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Loughran updated HADOOP-18136:
------------------------------------
    Priority: Major  (was: Minor)

> Verify FileUtils.unTar() handling of missing .tar files: Fixes CVE-2022-25168
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-18136
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18136
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: test, util
>    Affects Versions: 3.1.4, 2.10.1, 3.3.1, 3.2.3
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>             Fix For: 2.10.2, 3.2.4, 3.3.3
>
>
> add a test to verify FileUtils.unTar() of a non .gz fails meaningfully if 
> file isn't present; fix if not.
> test both the unix and windows paths.
> This patch contains the fix (and tests to verify it) for CVE-2022-25168
> * [mitre CVE|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168]
> *
> h2. Announcement
> {code}
> Severity: important
> Versions affected:
> 2.0.0 to 2.10.1, 3.0.0-alpha to 3.2.3, 3.3.0 to 3.3.2
> Description:
> Apache Hadoop's FileUtil.unTar(File, File) API does not escape the
> input file name before being passed to the shell. An attacker can
> inject arbitrary commands.
> This is only used in Hadoop 3.3
> InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by
> a local user.
> It has been used in Hadoop 2.x for yarn localization, which does
> enable remote code execution.
> It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the
> ADD ARCHIVE command adds new binaries to the classpath, being able to
> execute shell scripts does not confer new permissions to the caller.
> SPARK-38305. "Check existence of file before untarring/zipping", which
> is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being
> executed, regardless of which version of the hadoop libraries are in
> use.
> Mitigation:
> Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper
> (including HADOOP-18136).
> Credit:
> Apache Hadoop would like to thank Kostya Kortchinsky for reporting this issue
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org