Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

The "Zip Slip" vulnerability that first emerged in June has claimed another victim – the Apache Hadoop YARN NodeManager daemon.

Cats eyes behind a zip

Loose .zips sink chips: How poisoned archives can hack your computer

READ MORE

Apache's Akira Ajisaka disclosed the bug here. Zip Slip affects all Apache Hadoop versions except 3.1.1, 3.0.3, 2.8.5 and 2.7.7, as well as JBoss Fuse 6.0 and 7.0.

In the Hadoop case, as well as the NodeManager daemon, the vulnerability affects implementations that use public archives in the distributed cache.

According to the disclosure, the bug "allows a cluster user to publish a public archive that can affect other files owned by the user running the YARN NodeManager daemon. If the impacted files belong to another already localised, public archive on the node then code can be injected into the jobs of other cluster users using the public archive."

As we explained when Zip Slip was first disclosed, the bug affects any code that unpacks compressed archives. Attackers can exploit inadequate filename sanitation that allows them to set the unpacked file's destination to an existing folder or file on the target system.

penguin entree army - black olives, carrot pieces and mozzarella balls pierced by toothpicks

Malware scum want to build a Linux botnet using Mirai

READ MORE

The attacker's file could therefore overwrite existing data, anywhere on a system, and as we noted in June: "That would allow a miscreant to inject arbitrary commands in script files, or change executables, to do nefarious things."

Apache had already mitigated Zip Slip in another package in June. Fixing YARN was harder, it seems, since the organisation's CVE list entry said it was first notified of the issue in April.

It's been a rough week for YARN, with Netscout revealing its role as a vector for Mirai attacks earlier this week. ®




Biting the hand that feeds IT © 1998–2018