[
https://issues.apache.org/jira/browse/YARN-9718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16903234#comment-16903234
]
Billie Rinaldi commented on YARN-9718:
--------------------------------------
Thanks for working on this patch, [~eyang]! I see one issue which is that the
properties that are validated are obtained in a different way than [the JVM
options are obtained for the
AM|https://github.com/apache/hadoop/blob/63161cf590d43fe7f6c905946b029d893b774d77/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/client/ServiceClient.java#L1199-L1200].
It would be best to use this same approach to get the JVM opts property value.
This looks for the property in the service configuration and in the YARN
configuration. The current patch is checking the component configuration, which
is not necessary.
{noformat}
String jvmOpts = YarnServiceConf
.get(YarnServiceConf.JVM_OPTS, "", app.getConfiguration(), conf);
{noformat}
> Yarn REST API, services endpoint remote command ejection
> --------------------------------------------------------
>
> Key: YARN-9718
> URL: https://issues.apache.org/jira/browse/YARN-9718
> Project: Hadoop YARN
> Issue Type: Bug
> Affects Versions: 3.1.0, 3.2.0, 3.1.1, 3.1.2
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-9718.001.patch, YARN-9718.002.patch
>
>
> Email from Oskars Vegeris:
>
> During internal infrastructure testing it was discovered that the Hadoop Yarn
> REST endpoint /app/v1/services contains a command injection vulnerability.
>
> The services endpoint's normal use-case is for launching containers (e.g.
> Docker images/apps), however by providing an argument with special shell
> characters it is possible to execute arbitrary commands on the Host server -
> this would allow to escalate privileges and access.
>
> The command injection is possible in the parameter for JVM options -
> "yarn.service.am.java.opts". It's possible to enter arbitrary shell commands
> by using sub-shell syntax `cmd` or $(cmd). No shell character filtering is
> performed.
>
> The "launch_command" which needs to be provided is meant for the container
> and if it's not being run in privileged mode or with special options, host OS
> should not be accessible.
>
> I've attached a minimal request sample with an injected 'ping' command. The
> endpoint can also be found via UI @
> [http://yarn-resource-manager:8088/ui2/#/yarn-services]
>
> If no auth, or "simple auth" (username) is enabled, commands can be executed
> on the host OS. I know commands can also be ran by the "new-application"
> feature, however this is clearly not meant to be a way to touch the host OS.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
