Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-9718

Yarn REST API, services endpoint remote command ejection

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0, 3.2.0, 3.1.1, 3.1.2
    • Fix Version/s: 3.3.0, 3.2.1, 3.1.4
    • Component/s: None
    • Labels:
      None

      Description

      Email from Oskars Vegeris:

       
      During internal infrastructure testing it was discovered that the Hadoop Yarn REST endpoint /app/v1/services contains a command injection vulnerability.
       
      The services endpoint's normal use-case is for launching containers (e.g. Docker images/apps), however by providing an argument with special shell characters it is possible to execute arbitrary commands on the Host server - this would allow to escalate privileges and access. 
       
      The command injection is possible in the parameter for JVM options - "yarn.service.am.java.opts". It's possible to enter arbitrary shell commands by using sub-shell syntax `cmd` or $(cmd). No shell character filtering is performed. 
       
      The "launch_command" which needs to be provided is meant for the container and if it's not being run in privileged mode or with special options, host OS should not be accessible.
       
      I've attached a minimal request sample with an injected 'ping' command. The endpoint can also be found via UI @ http://yarn-resource-manager:8088/ui2/#/yarn-services
       
      If no auth, or "simple auth" (username) is enabled, commands can be executed on the host OS. I know commands can also be ran by the "new-application" feature, however this is clearly not meant to be a way to touch the host OS.

        Attachments

        1. YARN-9718.001.patch
          6 kB
          Eric Yang
        2. YARN-9718.002.patch
          6 kB
          Eric Yang
        3. YARN-9718.003.patch
          6 kB
          Eric Yang
        4. YARN-9718.004.patch
          5 kB
          Eric Yang
        5. YARN-9718-branch-3.1.01.patch
          5 kB
          Billie Rinaldi

          Activity

            People

            • Assignee:
              eyang Eric Yang
              Reporter:
              eyang Eric Yang
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: