CVE-2023-26031
Published: 16 November 2023
Summary
CVE-2023-26031 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Apache Hadoop. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-26031 is a relative library resolution flaw in the container-executor native binary shipped with Apache Hadoop 3.3.1 through 3.3.4 on Linux. The issue stems from a prior change (YARN-10495) that expanded the RUNPATH/RPATH used to locate shared libraries such as libcrypto.so from "$ORIGIN/" to "$ORIGIN/:../lib/native/". When the binary is installed with root ownership and the setuid bit, an attacker who can write to a directory on that search path can supply a malicious library that executes with root privileges.
A local user on a node running the vulnerable binary can therefore escalate to root. When the YARN cluster accepts work from remote authenticated users and executes those jobs on the physical host rather than inside containers, the same vector can be reached remotely, granting the remote user root access on the host.
The official fix, delivered in YARN-11441 and included in Hadoop 3.3.5, reverts the RUNPATH change so that only "$ORIGIN/" is searched. Administrators can verify exposure by inspecting the binary with readelf; a RUNPATH containing "../lib/native/" combined with root ownership and the setuid bit indicates a vulnerable installation. NetApp and Apache advisories reiterate that disabling the setuid bit or moving to the patched release eliminates the risk, although the former disables YARN Secure Containers.
EPSS scores for the CVE rose from a low baseline to a peak of 0.1683, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2933
Vulnerability details
Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.…
more
Hadoop 3.3.0 updated the " YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html " to add a feature for executing user-submitted applications in isolated linux containers. The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs. The patch " YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable" modified the library loading path for loading .so files from "$ORIGIN/" to ""$ORIGIN/:../lib/native/". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root. If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges. The fix for the vulnerability is to revert the change, which is done in YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , "Revert YARN-10495". This patch is in hadoop-3.3.5. To determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path "./lib/native/" then it is at risk $ readelf -d container-executor|grep 'RUNPATH\|RPATH' 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/:../lib/native/] If it does not, then it is safe: $ readelf -d container-executor|grep 'RUNPATH\|RPATH' 0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/] For an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set $ ls -laF /opt/hadoop/bin/container-executor ---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor A safe installation lacks the suid bit; ideally is also not owned by root. $ ls -laF /opt/hadoop/bin/container-executor -rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor This configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.