Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

CVE-2022-25168

Labels:
avatar
author-rank Cqcmcc
New Contributor

Created ‎08-09-2022 01:16 AM

Hello, I would like to know if this CVE which impacts Apache Hadoop is already resolve into HDP or CDP products ?

 

Apache Hadoop’s FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands.

Versions affected: 2.0.0 to 2.10.1, 3.0.0-alpha1 to 3.2.3, 3.3.0 to 3.3.2

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25168

 

And, do we have any precautions other than upgrading?

Thanks in advance for your help.

4,860 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rki_ author-rank
Super Collaborator

Created ‎08-09-2022 02:17 AM

Hi @Cqcmcc ,

 

This CVE is fixed in CDP 7.1.7 SP1. It is recommended that you upgrade to this version and above to resolve this issue. As of now there is no precautionary step to mitigate this other than a patch or upgrade.

 

-
Was your question answered? Please take some time to click on “Accept as Solution” below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

4,835 Views
5 REPLIES 5

avatar
author-rank rki_ author-rank
Super Collaborator

Created ‎08-09-2022 02:17 AM

Hi @Cqcmcc ,

 

This CVE is fixed in CDP 7.1.7 SP1. It is recommended that you upgrade to this version and above to resolve this issue. As of now there is no precautionary step to mitigate this other than a patch or upgrade.

 

-
Was your question answered? Please take some time to click on “Accept as Solution” below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

4,836 Views

avatar
author-rank jeromedruais
Explorer

Created ‎04-18-2023 10:35 AM

Hello @rki_ , as we stil have some clusters running with HDP 2.6.5 (HDP 2.6.5.363-1)for some months before moving to CDP, does exist workarounds to mitigate this CVE ?

 

Thanks in advance for your answer.

2,534 Views
0 Kudos

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎08-16-2022 11:04 PM

@Cqcmcc, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.  


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
4,685 Views
0 Kudos

avatar
author-rank ShariAllen
New Contributor

Created ‎09-09-2022 04:19 PM

For CDH, HDP, HDF, and CDP Private Cloud and Data Services, TSB 2021-545 - Critical vulnerability in log4j2 CVE-2021-44228 - has been resolved.

4,529 Views
0 Kudos

avatar
author-rank MaceyNikolaus
New Contributor

Created ‎09-27-2022 12:29 AM

Gratitude for the update The issue is now fixed. thanks

4,406 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements