CVE-2022-25168
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
Published: Aug 4, 2022 / Updated: 27mo ago
010
CVSS 9.8EPSS 0.29%Critical
CVE info copied to clipboard
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
First Article
Feedly found the first article mentioning CVE-2022-25168. See article
Aug 4, 2022 at 10:39 AM / www.mail-archive.com
EPSS
EPSS Score was set to: 0.29% (Percentile: 64.9%)
Sep 27, 2023 at 1:16 AM
Threat Intelligence Report
The vulnerability CVE-2022-25168 affects hadoop-common-3.2.2.jar versions lower than 9.1. It is not critical for Solr as it only uses HDFS as a client and does not utilize the vulnerable code. There is no information provided regarding exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts to other vendors or technology. See article
Feb 9, 2024 at 6:05 PM
Affected Systems
Apache/hadoop
+null more
Patches
bugzilla.redhat.com
+null more
Attack Patterns
CAPEC-137: Parameter Injection
+null more
Vendor Advisory
CVE-2022-25168
Red Hat Integration Data Virtualisation Operator - hadoop - Out of support scope Red Hat JBoss Data Grid 7 - hadoop - Out of support scope
References
Rewterz Threat Advisory – CVE-2022-25168 – Apache Hadoop Vulnerability
Apache Hadoop could allow a local authenticated attacker to execute arbitrary commands on the system, caused by improper input file name validation by the FileUtil.unTar(File, File) API. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2022-25168: Apache Hadoop Command Injection Vulnerability
Since Apache Hadoop’s FileUtil.unTar API does not escape the input filename before passing it to the shell, an attacker could exploit this vulnerability to inject arbitrary commands and thus achieve remote code execution. “ Apache Hadoop’s FileUtil.unTar(File, File) API does not escape thei nput file name before being passed to the shell.
Daily Vulnerability Trends: Sun Aug 07 2022
CVE-2022-33318 Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows a remote unauthenticated attacker to execute an arbitrary malicious code by sending specially crafted packets to the GENESIS64 server. CVE-2022-22954 VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection.
See 2 more references
News
A Week of Malware Exploitations and Sustained Botnet Activity - Loginsoft
With a high-severity CVSS score of 9.1, this flaw has been flagged in the CISA Known Exploited Vulnerabilities (KEV) catalog. A deserialization vulnerability in Veeam Backup & Replication affecting versions 12.1.2.172 and earlier, allows unauthenticated remote code execution, carrying a high-severity CVSS score of 9.8.
A Week of Emerging Zero-Day vulnerabilities and Threats - Loginsoft
A remote code execution vulnerability in Microsoft Management Console (MMC), with a CVSS score of 7.8, enables malicious MSC files to execute remote code on vulnerable systems and has been added to the CISA KEV list. A spoofing vulnerability in the Windows MSHTML Platform, which can be exploited by a remote attacker by tricking a user into opening a malicious file, has been added to the CISA KEV list.
Multiple vulnerabilities in IBM watsonx.data
A remote authenticated user can use vulnerable API endpoint to execute arbitrary YARN commands on the system as root. The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
Multiple vulnerabilities in IBM Application Performance Management
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
Third-Party Software Update Catalog Release History – July 2024
Third-Party Software Update Catalog Release History – July 2024 In July 2024, our third-party software update catalog for Microsoft SCCM contained 1100 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for July 2024. 1100 Total Updates 316 Security Updates 239 of the 316 security updates include CVE-IDs 62 New Products New Products: AIMP 5.30.2560.0 (EXE-x64) AIMP 5.30.2560.0 (EXE-x86) Alfaview 9.13.0 (MSI-x64) Alfaview 9.13.0 (User-x64) Android Studio 2024.1.0 (EXE-x64) Anyware PCoIP Client 24.3.4.0 (EXE-x64) Appium Inspector 2024.6.1.0 (EXE-x64) Appium Inspector 2024.6.1.0 (User-x64) ASAP Utilities 8.6.0.0 (EXE-x86) ATLAS.ti 24.1.1.30813 (MSI-x64) Beyond Compare 5.0.0.29773 (EXE-x64) Beyond Compare 5.0.0.29773 (User-x64) BlueJ 5.3.0.0 (MSI-x64) Brave 126.1.67.123 (EXE-x64) Brave 126.1.67.123 (User-x64) Coder 2.12.3.0 CrashPlan 11.4.0.503 (MSI-x64) Crestron AirMedia 5.9.1.245 (MSI-x86) Crestron AirMedia 5.9.1.245 (User-x64) Dolphin EasyReader 11.0.1.593 (EXE-x86) doPDF Latest 11.9.465.0 (EXE-x64) Fusion 2022.2402.1.400 (EXE-x64) Fusion 2023.2402.1.400 (EXE-x64) Fusion 2024.2406.14.400 (EXE-x64) Fuze 23.11.14510.0 (EXE-x64) Global Relay 3.5.0.0 (User-x64) KeeWeb 1.18.7.0 (EXE-x64) LuxTrust Middleware 1.8.0.4 (EXE-x64) MakerBot Print 4.10.1.2056 (EXE-x64) Microsoft Visual Studio 2010 Tools for Office Runtime 10.0.60917.0 (EXE-x64) Mirth Connect Administrator Launcher 1.4.1 (EXE-x64) Mirth Connect Administrator Launcher 1.4.1 (EXE-x86) NordVPN 7.26.2.0 (EXE-x64) Oh My Posh 22.0.3 (EXE-x64) Oh My Posh 22.0.3 (User-x64) pdfFiller 1.0.89.0 (EXE-x86) Proton Drive 1.6.2.0 (User-x64) Proton Mail 1.0.5.0 (User-x64) Proton Mail Bridge 3.12.0.0 (EXE-x64) Proton Pass 1.20.2.0 (User-x64) Proton VPN 3.2.12.0 (EXE) Qlik Sense Desktop 14.187.7.0 (User-x64) QlikView Desktop 12.90.20000.0 (EXE-x64) QlikView Plugin 12.90.20000.0 (EXE-x86) REAPER 7.18.0 (EXE-x64) REAPER 7.18.0 (EXE-x86) Refinitiv Workspace 1.25.180.0 (EXE-x64) Refinitiv Workspace 1.25.180.0 (User-x64) RustDesk 1.2.6.0 (EXE-x64) RustDesk 1.2.6.0 (EXE-x86) RustDesk 1.2.6.0 (MSI-x64) RVTools 4.6.1.0 (MSI-x86) Sophos Connect 2.3.1.0619 (MSI-x86) Tulip Player 2.5.1.0 (MSI-x64) Upscayl 2.11.5.0 (EXE-x64) Wacom Tablet Driver 6.4.6.2 (EXE-x64) Wazuh Agent 4.8.0.0 (MSI-x86) Xink Client AD 3.2.41.0 (MSI-x86) XPress 2.19.3.11008 (MSI-x64) XSplit VCam 4.2.2402.0903 (EXE-x64) Zorus Archon Agent 4.2.5.0 (EXE-x64) Zscaler Client Connector for VDI 1.3.014.0 (MSI-x64) Updates Added: (Oldest to Newest) Bruno 1.20.0 (User-x64) Release Notes for Bruno 1.20.0 (User-x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/63 VirusTotal Latest Scan Results (User-x64) CCleaner 6.25.11131 Release Notes for CCleaner 6.25.11131 Release Type: ⬤ ⬤ Scan Detection Ratio 0/71
See 43 more articles and social media posts