[this announcement is available online at https://s.apache.org/7l5y1 ]
Open Source Big Data MPP analytical database engine in use at Baidu, JD,
Meituan, Sina, Tencent, and Xiaomi, among others.
Wilmington, DE —16 June 2022— The Apache Software Foundation (ASF), the
all-volunteer developers,
Severity: Critical
Description:
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2,
and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run
arbitrary commands as root user. Users should upgrade to Apache Hadoop
2.10.2, 3.2.3, 3.3.2 or higher.
Mitigation: