Bug 1200648 - (CVE-2021-37404) VUL-0: CVE-2021-37404: hadoop: Heap buffer overflow in Apache Hadoop libhdfs
(CVE-2021-37404)
VUL-0: CVE-2021-37404: hadoop: Heap buffer overflow in Apache Hadoop libhdfs
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Jochen Breuer
Security Team bot
https://smash.suse.de/issue/334260/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-17 13:27 UTC by Thomas Leroy
Modified: 2022-06-17 13:32 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-06-17 13:27:52 UTC
rh#2097421

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Probable upstream fix:
https://github.com/apache/hadoop/commit/4972e7a246f4aab665fd04ce72d1848bc5da9d4e

References:
https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo
https://bugzilla.redhat.com/show_bug.cgi?id=2097421
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37404
Comment 1 Thomas Leroy 2022-06-17 13:32:12 UTC
The vulnerable function is related to hdfsStreamBuilder, added in this commit [0] and not contained in the versions we ship. Closing.

[0] https://github.com/apache/hadoop/commit/cf8af7bb459b21babaad2d972330a3b4c6bb222d