VYPR
High severityNVD Advisory· Published Aug 25, 2022· Updated Aug 3, 2024

Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler

CVE-2021-25642

Description

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.hadoop:hadoop-yarn-serverMaven
< 2.10.22.10.2
org.apache.hadoop:hadoop-yarn-serverMaven
>= 3.0.0, < 3.2.43.2.4
org.apache.hadoop:hadoop-yarn-serverMaven
>= 3.3.0, < 3.3.43.3.4

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.