CVE-2022-26612: Arbitrary file write in FileUtil#unpackEntries on Windows
First published: Thu Apr 07 2022(Updated: )
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Hadoop | <3.2.3 | |
| Apache Hadoop | =3.3.1 | |
| Apache Hadoop | =3.3.2 | |
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-26612.
What is the severity of CVE-2022-26612?
The severity of CVE-2022-26612 is critical with a severity value of 9.8.
Which software is affected by CVE-2022-26612?
Apache Hadoop versions up to and including 3.2.3, 3.3.1, and 3.3.2 are affected by CVE-2022-26612.
What is the impact of CVE-2022-26612?
CVE-2022-26612 can allow an attacker to create a symlink that points to an external directory, potentially leading to arbitrary file extraction.
Are Microsoft Windows systems vulnerable to CVE-2022-26612?
No, Microsoft Windows systems are not vulnerable to CVE-2022-26612.
How can I fix CVE-2022-26612?
Update Apache Hadoop to a version that is not vulnerable, such as versions higher than 3.3.2.
Where can I find more information about CVE-2022-26612?
You can find more information about CVE-2022-26612 in the references provided: [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220519-0004/) and [Apache mailing list thread](https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz).
- collector/nvd-api
- collector/nvd-index
- agent/references
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/first-publish-date
- agent/event
- agent/description
- agent/tags
- vendor/apache
- canonical/apache hadoop
- version/apache hadoop/3.3.1
- version/apache hadoop/3.3.2
- vendor/microsoft
- canonical/microsoft windows