cvelistv5 - cve-2023-26031

Source	URL	Tags
security@apache.org	https://hadoop.apache.org/cve_list.html	Vendor Advisory
security@apache.org	https://issues.apache.org/jira/browse/YARN-11441	Issue Tracking, Vendor Advisory
security@apache.org	https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r	Mailing List, Vendor Advisory
security@apache.org	https://security.netapp.com/advisory/ntap-20240112-0001/

Vendor	Product
Apache Software Foundation	Apache Hadoop

gsd-2023-26031

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges. Hadoop 3.3.0 updated the " YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html " to add a feature for executing user-submitted applications in isolated linux containers. The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs. The patch " YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable" modified the library loading path for loading .so files from "$ORIGIN/" to ""$ORIGIN/:../lib/native/". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root. If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges. The fix for the vulnerability is to revert the change, which is done in YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , "Revert YARN-10495". This patch is in hadoop-3.3.5. To determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path "./lib/native/" then it is at risk $ readelf -d container-executor|grep 'RUNPATH\|RPATH' 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/:../lib/native/] If it does not, then it is safe: $ readelf -d container-executor|grep 'RUNPATH\|RPATH' 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/] For an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set $ ls -laF /opt/hadoop/bin/container-executor ---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor A safe installation lacks the suid bit; ideally is also not owned by root. $ ls -laF /opt/hadoop/bin/container-executor -rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor This configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.

Aliases

CVE-2023-26031

Aliases

CVE-2023-26031

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-26031",
    "id": "GSD-2023-26031"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-26031"
      ],
      "details": "Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.\n\nHadoop 3.3.0 updated the \" YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html \" to add a feature for executing user-submitted applications in isolated linux containers.\n\nThe native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.\n\nThe patch \" YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable\" modified the library loading path for loading .so files from \"$ORIGIN/\" to \"\"$ORIGIN/:../lib/native/\". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.\nIf the YARN cluster is accepting work from remote (authenticated) users, and these users\u0027 submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.\n\nThe fix for the vulnerability is to revert the change, which is done in  YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , \"Revert YARN-10495\". This patch is in hadoop-3.3.5.\n\nTo determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path \"./lib/native/\" then it  is at risk\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/:../lib/native/]\n\nIf it does not, then it is safe:\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/]\n\nFor an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set\n\n$ ls -laF /opt/hadoop/bin/container-executor\n---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nA safe installation lacks the suid bit; ideally is also not owned by root.\n\n$ ls -laF /opt/hadoop/bin/container-executor\n-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nThis configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.\n\n",
      "id": "GSD-2023-26031",
      "modified": "2023-12-13T01:20:54.209536Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2023-26031",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Hadoop",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "3.3.1",
                          "version_value": "3.3.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "configuration": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The owner of the\u0026nbsp;container-executor binary must be set to \"root\" and suid set bit such that callers would execute the binary as root. These operations are a requirement for \"YARN Secure Containers\".\u003cbr\u003e \u003cbr\u003eIn an installation using the hadoop.tar.gz file the binary\u0027s owner is that of the installing user, and without the suid permission is not at risk. \u003cbr\u003e\u003cbr\u003eHowever, Apache BIgtop installations set the owner and permissions such that installations may be vulnerable\u003cbr\u003e\u003cbr\u003eThe container-executor\u0026nbsp;binary is only vulnerable on some Hadoop/Bigtop releases. It is possible to verify whether a version is vulnerable using the readelf command."
            }
          ],
          "value": "The owner of the\u00a0container-executor binary must be set to \"root\" and suid set bit such that callers would execute the binary as root. These operations are a requirement for \"YARN Secure Containers\".\n \nIn an installation using the hadoop.tar.gz file the binary\u0027s owner is that of the installing user, and without the suid permission is not at risk. \n\nHowever, Apache BIgtop installations set the owner and permissions such that installations may be vulnerable\n\nThe container-executor\u00a0binary is only vulnerable on some Hadoop/Bigtop releases. It is possible to verify whether a version is vulnerable using the readelf command."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Esa Hiltunen"
        },
        {
          "lang": "en",
          "value": "Mikko Kortelainen"
        },
        {
          "lang": "en",
          "value": "The Teragrep Project"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.\n\nHadoop 3.3.0 updated the \" YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html \" to add a feature for executing user-submitted applications in isolated linux containers.\n\nThe native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.\n\nThe patch \" YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable\" modified the library loading path for loading .so files from \"$ORIGIN/\" to \"\"$ORIGIN/:../lib/native/\". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.\nIf the YARN cluster is accepting work from remote (authenticated) users, and these users\u0027 submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.\n\nThe fix for the vulnerability is to revert the change, which is done in  YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , \"Revert YARN-10495\". This patch is in hadoop-3.3.5.\n\nTo determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path \"./lib/native/\" then it  is at risk\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/:../lib/native/]\n\nIf it does not, then it is safe:\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/]\n\nFor an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set\n\n$ ls -laF /opt/hadoop/bin/container-executor\n---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nA safe installation lacks the suid bit; ideally is also not owned by root.\n\n$ ls -laF /opt/hadoop/bin/container-executor\n-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nThis configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-426",
                "lang": "eng",
                "value": "CWE-426 Untrusted Search Path"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://issues.apache.org/jira/browse/YARN-11441",
            "refsource": "MISC",
            "url": "https://issues.apache.org/jira/browse/YARN-11441"
          },
          {
            "name": "https://hadoop.apache.org/cve_list.html",
            "refsource": "MISC",
            "url": "https://hadoop.apache.org/cve_list.html"
          },
          {
            "name": "https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20240112-0001/",
            "refsource": "MISC",
            "url": "https://security.netapp.com/advisory/ntap-20240112-0001/"
          }
        ]
      },
      "source": {
        "defect": [
          "YARN-11441"
        ],
        "discovery": "EXTERNAL"
      },
      "work_around": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003col\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUpgrade to Apache Hadoop 3.3.5\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eIf\u0026nbsp;Yarn Secure Containers are not required, remove all execute permissions on bin/container-executor ; change its owner from root, or simply delete it.\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eIf Yarn Secure Containers are required on a vulnerable release and upgrade is not possible, replace the container-executor\u0026nbsp;binary with that of the 3.3.5 release.\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003eAs most Hadoop installations do not use Yarn Secure Containers, removing execute permissions from the container-executor binary a is sufficient to secure the systems; deletion ensures that no security scanners will report the issue."
            }
          ],
          "value": "  *  Upgrade to Apache Hadoop 3.3.5\n  *  If\u00a0Yarn Secure Containers are not required, remove all execute permissions on bin/container-executor ; change its owner from root, or simply delete it.\n  *  If Yarn Secure Containers are required on a vulnerable release and upgrade is not possible, replace the container-executor\u00a0binary with that of the 3.3.5 release.\n\nAs most Hadoop installations do not use Yarn Secure Containers, removing execute permissions from the container-executor binary a is sufficient to secure the systems; deletion ensures that no security scanners will report the issue."
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D701B179-FF46-4C12-8258-350936106618",
                    "versionEndIncluding": "3.3.4",
                    "versionStartIncluding": "3.3.1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.\n\nHadoop 3.3.0 updated the \" YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html \" to add a feature for executing user-submitted applications in isolated linux containers.\n\nThe native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.\n\nThe patch \" YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable\" modified the library loading path for loading .so files from \"$ORIGIN/\" to \"\"$ORIGIN/:../lib/native/\". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.\nIf the YARN cluster is accepting work from remote (authenticated) users, and these users\u0027 submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.\n\nThe fix for the vulnerability is to revert the change, which is done in  YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , \"Revert YARN-10495\". This patch is in hadoop-3.3.5.\n\nTo determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path \"./lib/native/\" then it  is at risk\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/:../lib/native/]\n\nIf it does not, then it is safe:\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/]\n\nFor an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set\n\n$ ls -laF /opt/hadoop/bin/container-executor\n---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nA safe installation lacks the suid bit; ideally is also not owned by root.\n\n$ ls -laF /opt/hadoop/bin/container-executor\n-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nThis configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.\n\n"
          },
          {
            "lang": "es",
            "value": "La resoluci\u00f3n relativa de la librer\u00eda en el binario contenedor-ejecutor de Linux en Apache Hadoop 3.3.1-3.3.4 en Linux permite al usuario local obtener privilegios de root. Si el cl\u00faster YARN acepta trabajo de usuarios remotos (autenticados), esto PUEDE permitir que los usuarios remotos obtengan privilegios de root. Hadoop 3.3.0 actualiz\u00f3 \" YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html \" para agregar una funci\u00f3n para ejecutar aplicaciones enviadas por el usuario de forma aislada contenedores de Linux. El binario nativo HADOOP_HOME/bin/container-executor se utiliza para lanzar estos contenedores; debe ser propiedad de root y tener el bit suid configurado para que los procesos YARN ejecuten los contenedores como los usuarios espec\u00edficos que env\u00edan los trabajos. El parche \"YARN-10495 https://issues.apache.org/jira/browse/YARN-10495. make the rpath of container-executor configurable\" modific\u00f3 la ruta de carga de la librer\u00eda para cargar archivos .so de \"$ORIGIN/\" a \"\"$ORIGIN/:../lib/native/\". Esta es la ruta a trav\u00e9s de la cual se encuentra libcrypto.so. Por lo tanto, es posible que un usuario con privilegios reducidos instale una librer\u00eda libcrypto maliciosa en una ruta a la que tienen acceso de escritura, invocan el comando contenedor-ejecutor y ejecutan su librer\u00eda modificada como root. Si el cl\u00faster YARN acepta trabajo de usuarios remotos (autenticados) y el trabajo enviado por estos usuarios se ejecuta en el host f\u00edsico, en lugar de un contenedor, entonces el CVE permite a los usuarios remotos obtener privilegios de root. La soluci\u00f3n para la vulnerabilidad es revertir el cambio, lo cual se realiza en YARN-11441 https://issues.apache.org/jira/browse/YARN-11441, \"Revertir YARN-10495\". Este parche est\u00e1 en hadoop-3.3.5. Para determinar si una versi\u00f3n de container-executor es vulnerable, utilice el comando readelf. Si el valor RUNPATH o RPATH contiene la ruta relativa \"./lib/native/\", entonces est\u00e1 en riesgo $ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 0x0000000000000001d (RUNPATH) Ruta de ejecuci\u00f3n de la librer\u00eda: [$ORIGIN/: ../lib/native/] Si no es as\u00ed, entonces es seguro: $ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 0x000000000000001d (RUNPATH) Ruta de ejecuci\u00f3n de la librer\u00eda: [$ORIGIN/] Para un sitio en riesgo versi\u00f3n de container-executor para habilitar la escalada de privilegios, el propietario debe ser root y el bit suid debe estar configurado $ ls -laF /opt/hadoop/bin/container-executor ---Sr-s---. 1 root hadoop 802968 9 de mayo 20:21 /opt/hadoop/bin/container-executor Una instalaci\u00f3n segura carece del bit suid; Lo ideal es que tampoco sea propiedad de root. $ ls -laF /opt/hadoop/bin/container-executor -rwxr-xr-x. 1 hilo hadoop 802968 9 de mayo 20:21 /opt/hadoop/bin/container-executor Esta configuraci\u00f3n no admite Contenedores Seguros Yarn, pero todos los dem\u00e1s servicios de hadoop, incluida la ejecuci\u00f3n de trabajos YARN fuera de contenedores seguros, contin\u00faan funcionando."
          }
        ],
        "id": "CVE-2023-26031",
        "lastModified": "2024-01-12T14:15:47.603",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.6,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-11-16T09:15:06.920",
        "references": [
          {
            "source": "security@apache.org",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://hadoop.apache.org/cve_list.html"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Issue Tracking",
              "Vendor Advisory"
            ],
            "url": "https://issues.apache.org/jira/browse/YARN-11441"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Vendor Advisory"
            ],
            "url": "https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r"
          },
          {
            "source": "security@apache.org",
            "url": "https://security.netapp.com/advisory/ntap-20240112-0001/"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-426"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-426"
              }
            ],
            "source": "security@apache.org",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

ghsa-94jh-j374-9r3j

Vulnerability from github

Published

2023-11-16 09:30

Modified

2024-08-02 10:37

Severity

7.5 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Apache Hadoop allows local user to gain root privileges

Details

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.

Hadoop 3.3.0 updated the " YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html " to add a feature for executing user-submitted applications in isolated linux containers.

The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.

The patch " YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable" modified the library loading path for loading .so files from "$ORIGIN/" to ""$ORIGIN/:../lib/native/". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root. If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.

The fix for the vulnerability is to revert the change, which is done in YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , "Revert YARN-10495". This patch is in hadoop-3.3.5.

To determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path "./lib/native/" then it is at risk

$ readelf -d container-executor|grep 'RUNPATH\|RPATH' 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/:../lib/native/]

If it does not, then it is safe:

$ readelf -d container-executor|grep 'RUNPATH\|RPATH' 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/]

For an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set

$ ls -laF /opt/hadoop/bin/container-executor ---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor

A safe installation lacks the suid bit; ideally is also not owned by root.

$ ls -laF /opt/hadoop/bin/container-executor -rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor

This configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hadoop:hadoop-yarn-project"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.1"
            },
            {
              "fixed": "3.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-16T21:02:11Z",
    "nvd_published_at": "2023-11-16T09:15:06Z",
    "severity": "HIGH"
  },
  "details": "Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.\n\nHadoop 3.3.0 updated the \" YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html \" to add a feature for executing user-submitted applications in isolated linux containers.\n\nThe native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.\n\nThe patch \" YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable\" modified the library loading path for loading .so files from \"$ORIGIN/\" to \"\"$ORIGIN/:../lib/native/\". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.\nIf the YARN cluster is accepting work from remote (authenticated) users, and these users\u0027 submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.\n\nThe fix for the vulnerability is to revert the change, which is done in  YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , \"Revert YARN-10495\". This patch is in hadoop-3.3.5.\n\nTo determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path \"./lib/native/\" then it  is at risk\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/:../lib/native/]\n\nIf it does not, then it is safe:\n\n$ readelf -d container-executor|grep \u0027RUNPATH\\|RPATH\u0027 \n0x000000000000001d (RUNPATH)  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Library runpath: [$ORIGIN/]\n\nFor an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set\n\n$ ls -laF /opt/hadoop/bin/container-executor\n---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nA safe installation lacks the suid bit; ideally is also not owned by root.\n\n$ ls -laF /opt/hadoop/bin/container-executor\n-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor\n\nThis configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.",
  "id": "GHSA-94jh-j374-9r3j",
  "modified": "2024-08-02T10:37:00Z",
  "published": "2023-11-16T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/hadoop/commit/10e7ca481c8cd0548d903d39d8581291e533bf12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/hadoop/commit/7d3c8ef6064efd132828765e52e961977aebbf47"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/hadoop"
    },
    {
      "type": "WEB",
      "url": "https://hadoop.apache.org/cve_list.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/YARN-11441"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240112-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Hadoop allows local user to gain root privileges"
}

wid-sec-w-2023-2954

Vulnerability from csaf_certbund

Published

2023-11-16 23:00

Modified

2023-11-16 23:00

Summary

Apache Hadoop: Schwachstelle ermöglicht Privilegieneskalation

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Hadoop ist eine verteilte Big Data Plattform.

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in Apache Hadoop ausnutzen, um seine Privilegien zu erhöhen.

Betroffene Betriebssysteme

- UNIX - Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Hadoop ist eine verteilte Big Data Plattform.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in Apache Hadoop ausnutzen, um seine Privilegien zu erh\u00f6hen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2954 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2954.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2954 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2954"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-94jh-j374-9r3j vom 2023-11-16",
        "url": "https://github.com/advisories/GHSA-94jh-j374-9r3j"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Hadoop: Schwachstelle erm\u00f6glicht Privilegieneskalation",
    "tracking": {
      "current_release_date": "2023-11-16T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:51:48.232+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-2954",
      "initial_release_date": "2023-11-16T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-11-16T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Apache Hadoop \u003c 3.3.5",
            "product": {
              "name": "Apache Hadoop \u003c 3.3.5",
              "product_id": "T031237",
              "product_identification_helper": {
                "cpe": "cpe:/a:apache:hadoop:3.3.5"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-26031",
      "notes": [
        {
          "category": "description",
          "text": "Es gibt eine Schwachstelle in Apache Hadoop in der Funktionalit\u00e4t \"YARN Secure Containers\". Ursache ist ein Fehler bei der Aufl\u00f6sung von Bibliotheken in der Komponente \"linux container-executor\". Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien auf \"root\" auszuweiten."
        }
      ],
      "release_date": "2023-11-16T23:00:00Z",
      "title": "CVE-2023-26031"
    }
  ]
}

Action not permitted

cve-2023-26031

Vulnerability from cvelistv5

gsd-2023-26031

Vulnerability from gsd

ghsa-94jh-j374-9r3j

Vulnerability from github

wid-sec-w-2023-2954

Vulnerability from csaf_certbund

Tags