Apache Hadoop

Apache Hadoop
Hadoop CVE List
This page lists security fixes that the Hadoop PMC felt warranted a CVE. If you think something is missing from this list or if you think the set of impacted or fixed versions is incomplete then please
ask on the Security list
CVEs are presented in most-recent-first order of announcement.
CVE-2025-27821
Out of bounds write in URI parser of native HDFS client
Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client.
This issue affects Apache Hadoop: from 3.2.0 before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
This issue is being tracked as
HDFS-17754
Versions affected
: 3.2.0 to 3.4.1
Fixed versions
: 3.4.2
Impact
: Memory Corruption
Reporter
: BUI Ngoc Tan
Reported Date
: 2025/03/01
Issue Announced
: 2026/01/23
CVE-2023-26031
Privilege escalation in Apache Haoop Yarn container-executor binary on Linux systems
Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.
Hadoop 3.3.0 updated the
YARN Secure Containers
to add a feature for executing user-submitted applications in isolated linux containers.
The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.
The patch
YARN-10495
“make the rpath of container-executor configurable” modified the library loading path for loading .so files from
$ORIGIN/
to
$ORIGIN/:../lib/native/
. This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.
If the YARN cluster is accepting work from remote (authenticated) users, and these users’ submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.
The fix for the vulnerability is to revert the change, which is done in
YARN-11441
, “Revert YARN-10495”. This patch is in hadoop-3.3.5.
To determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path
./lib/native/
then it is at risk
$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/:../lib/native/]
If it does not, then it is safe:
$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/]
For an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set
$ ls -laF /opt/hadoop/bin/container-executor
---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor
A safe installation lacks the suid bit; ideally is also not owned by root.
$ ls -laF /opt/hadoop/bin/container-executor
-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor
This configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.
Versions affected
: 3.3.1 to 3.3.4
Fixed versions
: 3.3.5
Impact
: privilege escalation
Reporter
: Esa Hiltunen, Mikko Kortelainen
Reported Date
: 2022/07/13
Issue Announced
: 2023/11/16 (
general@hadoop
CVE-2021-25642
Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler
ZKConfigurationStore which is optionally used by CapacityScheduler of
Apache Hadoop YARN deserializes data obtained from ZooKeeper without
validation. An attacker having access to ZooKeeper can run arbitrary
commands as YARN user by exploiting this.
Versions affected
: 2.9.0 to 2.10.1, 3.0.0-alpha to 3.2.3, 3.3.0 to 3.3.3
Fixed versions
: 2.10.2, 3.2.4, 3.3.4
Impact
: remote command execution
Reporter
: Liu Ximing
Reported Date
: 2020/12/16
Issue Announced
: 2022/08/25 (
general@hadoop
CVE-2022-25168
Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar
Apache Hadoop’s FileUtil.unTar(File, File) API does not escape the
input file name before being passed to the shell. An attacker can
inject arbitrary commands.
This is only used in Hadoop 3.3
InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by
a local user.
It has been used in Hadoop 2.x for yarn localization, which does
enable remote code execution.
It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the
ADD ARCHIVE command adds new binaries to the classpath, being able to
execute shell scripts does not confer new permissions to the caller.
SPARK-38305. “Check existence of file before untarring/zipping”, which
is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being
executed, regardless of which version of the hadoop libraries are in
use.
Versions affected
: 2.0.0 to 2.10.1, 3.0.0-alpha1 to 3.2.3, 3.3.0 to 3.3.2
Fixed versions
: 2.10.2, 3.2.4, 3.3.3
Impact
: injection attack
Reporter
: Kostya Kortchinsky
Reported Date
: 2022/02/12
Issue Announced
: 2022/08/04 (
general@hadoop
CVE-2021-33036
Apache Hadoop Privilege escalation vulnerability
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to
3.2.2, and 3.3.0 to 3.3.1, A user who can escalate to yarn user can
possibly run arbitrary commands as root user.
If you are using the affected version of Apache Hadoop and some users
can escalate to yarn user and cannot escalate to root user, remove the
permission to escalate to yarn user from them.
Versions affected
: 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, 3.3.0 to 3.3.1
Fixed versions
: 2.10.2, 3.2.3, 3.3.2
Impact
: privilege escalation
Reporter
: Hideyuki Furue
Reported Date
: 2021/05/05
Issue Announced
: 2022/06/15 (
general@hadoop
CVE-2021-37404
Heap buffer overflow in libhdfs native library
There is a potential heap buffer overflow in libhdfs native code.
Opening a file path provided by user without validation may result in
a denial of service or arbitrary code execution.
Versions affected
: 2.9.0 to 2.10.1, 3.0.0 to 3.1.4, 3.2.0 to 3.2.2, 3.3.0 to 3.3.1
Fixed versions
: 2.10.2, 3.2.3, 3.3.2
Impact
: denial of service or arbitrary code execution
Reporter
: Igor Chervatyuk
Reported Date
: 2021/04/04
Issue Announced
: 2022/06/11 (
general@hadoop
CVE-2022-26612
Arbitrary file write during untar on Windows
In Apache Hadoop, The
unTar
function uses
unTarUsingJava
function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same
targetDirPath
check on Unix because of the
getCanonicalPath
call. However on Windows,
getCanonicalPath
doesn’t resolve symbolic links, which bypasses the check.
unpackEntries
during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows.
Users of the affected versions should apply either of the following mitigations:
Do not run any of the YARN daemons as a user possessing the permissions to create symlinks on Windows.
Do not use symlinks in the tar file.
Versions affected
: Versions below 3.2.3, 3.3.2
Fixed versions
: 3.2.3, 3.3.3, 3.4 onwards
Impact
: file write to arbitrary path in Windows
Reporter
: A member of GitHub Security Lab,
Jaroslav Lobačevski
Reported Date
: 2022/02/09
Issue Announced
: 2022/04/7 (
general@hadoop
CVE-2020-9492
Apache Hadoop Potential privilege escalation
WebHDFS client might send SPNEGO authorization header to remote URL
without proper verification. A crafty user can trigger services to
send server credentials to a webhdfs path for capturing the service
principal.
Users of the affected versions should apply either of the following mitigations:
Set different http signature secrets and use dedicated hosts for each privileged impersonation service (such as HiveServer2).
Upgrade to 3.3.0, 3.2.2, 3.1.4, 2.10.1, or newer with TLS encryption enabled and configure dfs.http.policy to HTTPS_ONLY.
Versions affected
: 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0
Fixed versions
: 3.2.2, 3.1.4, 2.10.1
Impact
: privilege escalation
Reporter
: Kevin Risden
Reported Date
: 2020/03/17
Issue Announced
: 2021/01/26 (
general@hadoop
CVE-2018-11764
Apache Hadoop Privilege escalation in web endpoint
Web endpoint authentication check is broken. Authenticated users may
impersonate any user even if no proxy user is configured.
Versions affected
: 3.0.0-alpha4, 3.0.0-beta1, 3.0.0
Fixed versions
: 3.0.1
Impact
: privilege escalation
Reporter
: Daryn Sharp
Reported Date
: 2018/03/17
Issue Announced
: 2020/10/21 (
general@hadoop
CVE-2018-11765
Potential information disclosure in Apache Hadoop Web interfaces
When Kerberos authentication is enabled and SPNEGO through HTTP is not enabled,
any users can access some servlets without authentication.
Versions affected
: 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5
Fixed versions
: 3.0.1, 2.10.0
Impact
: information disclosure
Reporter
: Larry McCay (Discovered by Owen O’Malley)
Reported Date
: 2018/03/11
Issue Announced
: 2020/09/28 (
general@hadoop
CVE-2018-11768
Apache Hadoop HDFS FSImage Corruption
There is a mismatch in the size of the fields used to store user/group
information between memory and disk representation. This causes the user/group
information to be corrupted across storing in fsimage and reading back from
fsimage.
This vulnerability fix contains a fsimage layout change, so once the image is
saved in the new layout format you cannot go back to a version that doesn’t
support the newer layout. This means that once 2.7.x users upgraded to the
fixed version, they cannot downgrade to 2.7.x because there is no fixed version
in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the
vulnerability fix.
Versions affected
: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4
Fixed versions
: 3.1.2, 2.9.2, 2.8.5
Impact
: information disclosure
Reporter
: Ekanth Sethuramalingam
Reported Date
: 2018/06/05
Issue Announced
: 2019/10/03 (
general@hadoop
CVE-2018-8029
Apache Hadoop Privilege escalation vulnerability
A user who can escalate to yarn user can possibly run arbitrary
commands as root user.
Versions affected
: 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4
Fixed versions
: 3.1.1, 2.9.2, 2.8.5
Impact
: privilege escalation
Reporter
: Miklos Szegedi
Reported Date
: 2018/05/08
Issue Announced
: 2019/05/30 (
general@hadoop
CVE-2018-11767
Apache Hadoop KMS ACL regression
After the security fix for CVE-2017-15713, KMS has an access control regression,
blocking users or granting access to users incorrectly, if the system
uses non-default groups mapping mechanisms such as LdapGroupsMapping,
CompositeGroupsMapping, or NullGroupsMapping.
Versions affected
: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6
Fixed versions
: 2.9.2, 2.8.5, 2.7.7
Impact
: privilege escalation
Reporter
: Wei-Chiu Chuang
Reported Date
: 2018/05/09
Issue Announced
: 2019/03/11 (
general@hadoop
CVE-2018-1296
Apache Hadoop HDFS Permissive listXAttr Authorization
HDFS exposes extended attribute key/value pairs during listXAttrs,
verifying only path-level search access to the directory rather than
path-level read permission to the referent. This affects features that
store sensitive data in extended attributes, such as HDFS encryption
secrets.
Versions affected
: 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5
Fixed versions
: 3.0.1, 2.9.1, 2.8.4, 2.7.6
Impact
: information disclosure
Reporter
: Rushabh Shah
Reported Date
: 2018/02/09
Issue Announced
: 2019/01/24 (
general@hadoop
CVE-2018-11766
Apache Hadoop privilege escalation vulnerability
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is
incomplete. A user who can escalate to yarn user can possibly run arbitrary
commands as root user.
Versions affected
: 2.7.4 to 2.7.6
Fixed versions
: 2.7.7
Impact
: privilege escalation
Reporter
: Wilfred Spiegelenburg
Reported Date
: 2018/05/04
Issue Announced
: 2018/11/27 (
general@hadoop
CVE-2018-8009
Apache Hadoop distributed cache archive vulnerability
Vulnerability allows a cluster user to publish a public
archive that can affect other files owned by the user running the YARN
NodeManager daemon. If the impacted files belong to another already
localized, public archive on the node then code can be injected into
the jobs of other cluster users using the public archive.
Versions affected
: 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11
Fixed versions
: 3.1.1, 3.0.3, 2.9.2, 2.8.5, 2.7.7
Impact
: injection attack
Credit
: Snyk Security Research Team
Reported Date
: 2018/04/19
Issue Announced
: 2018/11/22 (
user@hadoop
CVE-2016-6811
Apache Hadoop Privilege escalation vulnerability
A user who can escalate to yarn user can possibly run arbitrary commands as root user.
Versions affected
: 2.2.0 to 2.7.3
Fixed versions
: 2.7.4 or newer
Impact
: privilege escalation
Reporter
: Freddie Rice
Reported Date
: 2016/07/06
Issue Announced
: 2018/05/01 (
user@hadoop
Note: The fix for this vulnerability is incomplete in Apache Hadoop 2.7.4 to 2.7.6 (CVE-2018-11766).
CVE-2017-15718
Apache Hadoop YARN NodeManager vulnerability
In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete.
The YARN NodeManager can leak the password for credential store provider
used by the NodeManager to YARN Applications.
If you use the CredentialProvider feature to encrypt passwords used in
NodeManager configs, it may be possible for any Container launched
by that NodeManager to gain access to the encryption password.
The other passwords themselves are not directly exposed.
Versions affected
: 2.7.3, 2.7.4
Fixed versions
: 2.7.5
Impact
: privilege escalation
Reporter
: Vinayakumar B.
Reported Date
: 2017/09/18
Issue Announced
: 2018/01/24 (
user@hadoop
CVE-2017-15713
Apache Hadoop MapReduce job history server vulnerability
Vulnerability allows a cluster user to expose private files
owned by the user running the MapReduce job history server process.
The malicious user can construct a configuration file containing XML
directives that reference sensitive files on the MapReduce job history
server host.
Versions affected
: 3.0.0-alpha to 3.0.0-beta1, 2.8.0 to 2.8.2, 2.0.0-alpha to 2.7.4, 0.23.0 to 0.23.11
Fixed versions
: 3.0.0, 2.9.0, 2.8.3, 2.7.5
Impact
: privilege escalation
Reporter
: Man Yue Mo of lgtm.com
Reported Date
: 2017/06/30
Issue Announced
: 2018/01/19 (
user@hadoop
CVE-2017-3166
Apache Hadoop Privilege escalation vulnerability
In a cluster where the YARN user has been granted access to all HDFS
encryption keys, if a file in an encryption zone with access permissions
that make it world readable is localized via YARN’s localization mechanism,
e.g. via the MapReduce distributed cache, that file will be stored
in a world-readable location and shared freely with any application
that requests to localize that file, no matter who the application owner
is or whether that user should be allowed to access files from the
target encryption zone.
Versions affected
: 3.0.0-alpha1 - 3.0.0-alpha3 , 2.7.0 to 2.7.3, 2.6.1-2.6.5
Fixed versions
: 3.0.0-alpha4, 2.8.0, 2.7.4
Impact
: privilege escalation
Reporter
: Luke Herbert
Reported Date
: 2016/11/18
Issue Announced
: 2017/11/08 (
general@hadoop
Thirdparty vulnerabilities
The following section describes thirdparty vulnerabilities that may be of interest to Hadoop users. Please contact the respective project owners for details.
CVE-2021-44228
Log4Shell Vulnerability
It is understood that the log4shell vulnerability CVE-2021-44228 impacts log4j2. Hadoop, as of 3.3.x depends on log4j 1.x, which is
NOT
susceptible to the attack. Once we migrate over to log4j2, we will adopt a version that is not susceptible to the attack, too. Therefore, no ASF version of Hadoop has ever been vulnerable. Third party products and applications based on Hadoop
may
be vulnerable, please consult the vendor or the project owner.
Versions affected
: N/A
CVE-2021-4104
Log4Shell Vulnerability
JMSAppender in Log4j 1.2, used by all versions of Apache Hadoop, is vulnerable to the Log4Shell attack in a similar fashion to CVE-2021-44228. However, the JMSAppender is not the default configuration shipped in Hadoop. When JMSAppender is not enabled, Hadoop is not vulnerable to the attack.
To mitigate the risk, you can remove JMSAppender from the log4j-1.2.17.jar artifact yourself following the instructions in this
link
Versions affected
: N/A