Main Vulnerability Database SB2022082559

SB2022082559 - Deserialization of Untrusted Data in Apache Hadoop

Published: August 25, 2022 Updated: June 2, 2025

Security Bulletin ID SB2022082559

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2021-25642)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. A remote user with an access to ZooKeeper can run arbitrary commands as YARN user by exploiting this vulnerability.

Remediation

Install update from vendor's website.

References

https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150
https://security.netapp.com/advisory/ntap-20221201-0003/