Support Questions

Find answers, ask questions, and share your expertise

CVE-2022-25168

New Contributor

Hello, I would like to know if this CVE which impacts Apache Hadoop is already resolve into HDP or CDP products ?

 

Apache Hadoop’s FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands.

Versions affected: 2.0.0 to 2.10.1, 3.0.0-alpha1 to 3.2.3, 3.3.0 to 3.3.2

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168

 

And, do we have any precautions other than upgrading?

Thanks in advance for your help.

1 ACCEPTED SOLUTION

Expert Contributor

Hi @Cqcmcc ,

 

This CVE is fixed in CDP 7.1.7 SP1. It is recommended that you upgrade to this version and above to resolve this issue. As of now there is no precautionary step to mitigate this other than a patch or upgrade.

 

-
Was your question answered? Please take some time to click on “Accept as Solution” below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

4 REPLIES 4

Expert Contributor

Hi @Cqcmcc ,

 

This CVE is fixed in CDP 7.1.7 SP1. It is recommended that you upgrade to this version and above to resolve this issue. As of now there is no precautionary step to mitigate this other than a patch or upgrade.

 

-
Was your question answered? Please take some time to click on “Accept as Solution” below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Community Manager

@Cqcmcc, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.  



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

New Contributor

For CDH, HDP, HDF, and CDP Private Cloud and Data Services, TSB 2021-545 - Critical vulnerability in log4j2 CVE-2021-44228 - has been resolved.

New Contributor

Gratitude for the update The issue is now fixed. thanks

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.