Support Questions

Find answers, ask questions, and share your expertise

CVE-2021-33036

Hello, I would like to know if this CVE which impacts Apache Hadoop is already resolve into HDP or CDP products ?

 

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

 

https://nvd.nist.gov/vuln/detail/CVE-2021-33036

Thanks in advance for your help.

1 ACCEPTED SOLUTION

Expert Contributor

Hi @jeromedruais ,

 

This CVE will be addressed in CDP 7.1.8. Till then, you can use the below precautions:

 

1. ensure in the linux sudoers files that there is no entry allowing users or groups to run as the yarn account. 2. ensure the cluster is kerberized

3. ensure the permissions for the yarn keytabs are not readable by others. find /var/run/cloudera-scm-agent/ | grep yarn | grep keytab (by default in kerberized cdp, others can't read these service keytabs)

View solution in original post

2 REPLIES 2

Expert Contributor

Hi @jeromedruais ,

 

This CVE will be addressed in CDP 7.1.8. Till then, you can use the below precautions:

 

1. ensure in the linux sudoers files that there is no entry allowing users or groups to run as the yarn account. 2. ensure the cluster is kerberized

3. ensure the permissions for the yarn keytabs are not readable by others. find /var/run/cloudera-scm-agent/ | grep yarn | grep keytab (by default in kerberized cdp, others can't read these service keytabs)

Community Manager

@jeromedruais, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.  



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.