ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2022-08-25T00:00:00
Updated: 2024-08-03T20:11:28.113Z
Reserved: 2021-01-20T00:00:00
Link: CVE-2021-25642
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-08-25T14:15:09.067
Modified: 2024-11-21T05:55:11.800
Link: CVE-2021-25642
Redhat