Apache Hadoop spins cracking code injection vulnerability YARN
The “Zip Slip” vulnerability that first emerged in June has claimed another victim – the Apache Hadoop YARN NodeManager daemon.
Apache’s Akira Ajisaka disclosed the bug here. Zip Slip affects all Apache Hadoop versions except 3.1.1, 3.0.3, 2.8.5 and 2.7.7, as well as JBoss Fuse 6.0 and 7.0.
In the Hadoop case, as well as the NodeManager daemon, the vulnerability affects implementations that use public archives in the distributed cache.
According to the disclosure, the bug “allows a cluster user to publish a public archive that can affect other files owned by the user running the YARN NodeManager daemon. If the impacted files belong to another already localised, public archive on the node then code can be injected into the jobs of other cluster users using the public archive.”
As we explained when Zip Slip was first disclosed, the bug affects any code that unpacks compressed archives. Attackers can exploit inadequate filename sanitation that allows them to set the unpacked file’s destination to an existing folder or file on the target system.
The attacker’s file could therefore overwrite existing data, anywhere on a system, and as we noted in June: “That would allow a miscreant to inject arbitrary commands in script files, or change executables, to do nefarious things.”
Apache had already mitigated Zip Slip in another package in June. Fixing YARN was harder, it seems, since the organisation’s CVE list entry said it was first notified of the issue in April.
It’s been a rough week for YARN, with Netscout revealing its role as a vector for Mirai attacks earlier this week. ®
Sponsored: Following Bottomline’s journey to the Hybrid Cloud
READ MORE HERE