https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/351895#M236396 <P>For CDH, HDP, HDF, and CDP Private Cloud and Data Services, TSB 2021-545 - Critical vulnerability in log4j2 CVE-2021-44228 - has been resolved.</P> Fri, 09 Sep 2022 23:19:50 GMT ShariAllen 2022-09-09T23:19:50Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/349753#M235759 <P>Hello, I would like to know if this CVE which impacts Apache Hadoop is already resolve into HDP or CDP products ?</P><P>&nbsp;</P><P><SPAN>Apache Hadoop’s FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands.</SPAN></P><P><STRONG>Versions affected</STRONG>: 2.0.0 to 2.10.1, 3.0.0-alpha1 to 3.2.3, 3.3.0 to 3.3.2</P><P>&nbsp;</P><P><A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168</A></P><P>&nbsp;</P><P>And, do we have any&nbsp;<SPAN>precautions</SPAN> other than upgrading?</P><P>Thanks in advance for your help.</P> Tue, 09 Aug 2022 08:16:32 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/349753#M235759 Cqcmcc 2022-08-09T08:16:32Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/349758#M235761 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/24355">@Cqcmcc</a>&nbsp;,</P><P>&nbsp;</P><P>This CVE is fixed in CDP 7.1.7 SP1. I<SPAN class="Y2IQFc">t is recommended that you upgrade to this version and above to resolve this issue. As of now there is no precautionary step to mitigate this other than a patch or upgrade.</SPAN></P><P>&nbsp;</P><P><SPAN class="Y2IQFc"><I>-</I><BR /><I>Was your question answered? Please take some time to click on “Accept as Solution” below this post.</I><BR /><I>If you find a reply useful, say thanks by clicking on the thumbs up button.</I></SPAN></P> Tue, 09 Aug 2022 09:17:23 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/349758#M235761 rki_ 2022-08-09T09:17:23Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/350202#M235920 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/24355">@Cqcmcc</a>,&nbsp;Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.&nbsp;&nbsp;</P> Wed, 17 Aug 2022 06:04:44 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/350202#M235920 VidyaSargur 2022-08-17T06:04:44Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/351895#M236396 <P>For CDH, HDP, HDF, and CDP Private Cloud and Data Services, TSB 2021-545 - Critical vulnerability in log4j2 CVE-2021-44228 - has been resolved.</P> Fri, 09 Sep 2022 23:19:50 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/351895#M236396 ShariAllen 2022-09-09T23:19:50Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/353377#M236700 <P>Gratitude for the update The issue is now fixed. thanks</P> Tue, 27 Sep 2022 07:29:20 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/353377#M236700 MaceyNikolaus 2022-09-27T07:29:20Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/368822#M240285 <P>Hello <a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/80393">@rki_</a> , as we stil have some clusters running with HDP 2.6.5 (HDP 2.6.5.363-1)for some months before moving to CDP, does exist workarounds to mitigate this CVE ?</P><P>&nbsp;</P><P>Thanks in advance for your answer.</P> Tue, 18 Apr 2023 17:35:27 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-25168/m-p/368822#M240285 jeromedruais 2023-04-18T17:35:27Z