https://community.cloudera.com/t5/Support-Questions/CVE-2021-33036/m-p/349052#M235510 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/78359">@jeromedruais</a>, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.&nbsp;&nbsp;</P> Fri, 29 Jul 2022 05:40:49 GMT VidyaSargur 2022-07-29T05:40:49Z https://community.cloudera.com/t5/Support-Questions/CVE-2021-33036/m-p/348791#M235450 <DIV class="lia-quilt-row lia-quilt-row-main"><DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-main-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>Hello, I would like to know if this CVE which impacts Apache Hadoop is already resolve into HDP or CDP products ?</P><P>&nbsp;</P><P>In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.</P><P>&nbsp;</P><P><A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-33036</A></P><P>Thanks in advance for your help.</P></DIV></DIV></DIV></DIV></DIV> Tue, 26 Jul 2022 08:29:03 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2021-33036/m-p/348791#M235450 jeromedruais 2022-07-26T08:29:03Z https://community.cloudera.com/t5/Support-Questions/CVE-2021-33036/m-p/348798#M235454 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/78359">@jeromedruais</a>&nbsp;,</P><P>&nbsp;</P><P>This CVE will be addressed in CDP 7.1.8. Till then, you can use the below&nbsp;precautions:</P><P>&nbsp;</P><P>1. ensure in the linux sudoers files that there is no entry allowing users or groups to run as the yarn account. 2. ensure the cluster is kerberized</P><P>3. ensure the permissions for the yarn keytabs are not readable by others. find /var/run/cloudera-scm-agent/ | grep yarn | grep keytab (by default in kerberized cdp, others can't read these service keytabs)</P> Tue, 26 Jul 2022 09:57:54 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2021-33036/m-p/348798#M235454 rki_ 2022-07-26T09:57:54Z https://community.cloudera.com/t5/Support-Questions/CVE-2021-33036/m-p/349052#M235510 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/78359">@jeromedruais</a>, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.&nbsp;&nbsp;</P> Fri, 29 Jul 2022 05:40:49 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2021-33036/m-p/349052#M235510 VidyaSargur 2022-07-29T05:40:49Z