Apache Hadoop YARN NodeManager Daemon Falls Prey To Zip Slip Vulnerability

  • 52
  •  
  •  
  •  
  •  
  •  
  •  
    52
    Shares

A few months ago, researchers discovered the Zip Slip vulnerability that could trigger remote code execution attacks. As disclosed at that time, the vulnerability affected several large projects. For instance, HP, Amazon, Twitter, LinkedIn, Oracle, Alibaba, Eclipse, JetBrains, Google, Selenium, and a few others. Now, a researcher found that the vulnerability also affects Apache Hadoop YARN NodeManager daemon.

Zip Slip Vulnerability In Apache Hadoop YARN NodeManager

According to the report shared by Akira Ajisaka from Apache, the Zip Slip vulnerability disclosed in June this year, by Snyk, has now affected the Apache Hadoop YARN NodeManager daemon. In this case, the bug appeared in the implementations involving public archives in a distributed cache. As stated in his report,

“Vulnerability allows a cluster user to publish a public archive that can affect other files owned by the user running the YARN NodeManager daemon. If the impacted files belong to another already localized, public archive on the node then code can be injected into the jobs of other cluster users using the public archive.”

The Apache Hadoop distributed cache archive vulnerability discovered by Ajisaka has achieved a high severity rating. It has received the CVE number CVE-2018-8009.

Recalling about the Zip Slip vulnerability, in brief, it’s an arbitrary code execution bug triggered by a malicious zip file. Exploiting this vulnerability could let an attacker to execute remote commands on the targeted system.

Apache Released Patched Versions

Reportedly, the CVE-2018-8009 bug affected the Apache Hadoop versions 0.23.0 to 0.23.11, 2.0.0-alpha to 2.7.6, 2.8.0 to 2.8.4, 2.9.0 to 2.9.1, 3.0.0-alpha to 3.0.2, and 3.1.0. Whereas, the patched versions include 2.7.7, 2.8.5, 2.9.2, 3.0.3, and 3.1.1. Users should thus update their systems to these patched versions.

In addition to these, the flaw also affected Redhat JBoss Fuse 6.0 and Red Hat JBoss Fuse 7 as confirmed by RedHat in its advisory.

Take your time to comment on this article.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!