{ "threat_severity" : "Moderate", "public_date" : "2022-06-15T00:00:00Z", "bugzilla" : { "description" : "hadoop: privilege escalation via yarn user", "id" : "2102826", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2102826" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-502", "details" : [ "In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.", "A flaw was found in Hadoop Yarn. This flaw allows an attacker to benefit from permissions, escalate to a yarn user and run arbitrary commands as root." ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "hadoop", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "hadoop", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "hadoop", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat Integration Data Virtualisation Operator", "fix_state" : "Out of support scope", "package_name" : "hadoop", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "hadoop", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-33036\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33036\nhttps://github.com/advisories/GHSA-58jx-f5rf-qgqf" ], "name" : "CVE-2021-33036", "csaw" : false }