Apache Hadoop YARN: ZKConfigStore Deserialization RCE ( 2.10.2 / 3.2.4 / 3.3.4)
CVE-2021-25642 Published on August 25, 2022
Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2021-25642 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2021-25642
Want to know whenever a new CVE is published for Apache Hadoop? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Hadoop Version 2.9.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.3, and 3.3.0 to 3.3.3 is affected by CVE-2021-25642Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.