CVE-2022-26612
Published on April 7, 2022
Arbitrary file write in FileUtil#unpackEntries on Windows
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Timeline
Issue was reported to Apache Hadoop security team.
First iteration of the fix was proposed. 8 days later.
Involved the Github Security team for reviewing the fix. 4 days later.
Second iteration of the fix was proposed. 3 days later.
Third iteration of the fix was proposed. 12 days later.
Issue was fixed and committed to the trunk branch. 2 days later.
Requested review of the announcement from the reporter. 22 days later.
Announcement review by the reporter completed. 6 days later.
Affected Versions
Apache Software Foundation Apache Hadoop:- Version unspecified and below 3.2.3 is affected.
- Version 3.3.1 is affected.
- Version 3.3.2 is affected.
- Version 3.4 and below All* is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.