Apache Hadoop YARN NodeManager Daemon Falls Prey To Zip Slip Vulnerability

A few months ago, researchers discovered the Zip Slip vulnerability that could trigger remote code execution attacks. As disclosed at that time, the vulnerability affected several large projects. For instance, HP, Amazon, Twitter, LinkedIn, Oracle, Alibaba, Eclipse, JetBrains, Google, Selenium, and a few others. Now, a researcher found that the vulnerability also affects Apache Hadoop YARN NodeManager daemon.

Zip Slip Vulnerability In Apache Hadoop YARN NodeManager

According to the report shared by Akira Ajisaka from Apache, the Zip Slip vulnerability disclosed in June this year, by Snyk, has now affected the Apache Hadoop YARN NodeManager daemon. In this case, the bug appeared in the implementations involving public archives in a distributed cache. As stated in his report,

“Vulnerability allows a cluster user to publish a public archive that can affect other files owned by the user running the YARN NodeManager daemon. If the impacted files belong to another already localized, public archive on the node then code can be injected into the jobs of other cluster users using the public archive.”

The Apache Hadoop distributed cache archive vulnerability discovered by Ajisaka has achieved a high severity rating. It has received the CVE number CVE-2018-8009.

Recalling about the Zip Slip vulnerability, in brief, it’s an arbitrary code execution bug triggered by a malicious zip file. Exploiting this vulnerability could let an attacker to execute remote commands on the targeted system.

Apache Released Patched Versions

Reportedly, the CVE-2018-8009 bug affected the Apache Hadoop versions 0.23.0 to 0.23.11, 2.0.0-alpha to 2.7.6, 2.8.0 to 2.8.4, 2.9.0 to 2.9.1, 3.0.0-alpha to 3.0.2, and 3.1.0. Whereas, the patched versions include 2.7.7, 2.8.5, 2.9.2, 3.0.3, and 3.1.1. Users should thus update their systems to these patched versions.

In addition to these, the flaw also affected Redhat JBoss Fuse 6.0 and Red Hat JBoss Fuse 7 as confirmed by RedHat in its advisory.

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients