CVE-2021-33036
📋 TL;DR
This CVE allows a user who can escalate to the yarn user account in Apache Hadoop to execute arbitrary commands as the root user, leading to complete system compromise. It affects Apache Hadoop versions 2.2.0-2.10.1, 3.0.0-alpha1-3.1.4, 3.2.0-3.2.2, and 3.3.0-3.3.1. Organizations running these vulnerable versions are at risk.
💻 Affected Systems
- Apache Hadoop
📦 What is this software?
Hadoop by Apache
Hadoop by Apache
Hadoop by Apache
Hadoop by Apache
Hadoop by Apache
Hadoop by Apache
Hadoop by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete root-level compromise of the Hadoop cluster, allowing attackers to steal all data, install persistent backdoors, or disrupt operations entirely.
Likely Case
Privilege escalation from yarn user to root, enabling data exfiltration, service disruption, or lateral movement within the environment.
If Mitigated
Limited impact if proper access controls prevent unauthorized users from becoming yarn user, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires initial access to escalate to yarn user, then privilege escalation to root. No public PoC available but technical details are public.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.2, 3.2.3, 3.3.2 or higher
Vendor Advisory: https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Download patched version from Apache Hadoop website. 3. Stop Hadoop services. 4. Replace installation with patched version. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Restrict yarn user access
linuxImplement strict access controls to prevent unauthorized users from escalating to yarn user account.
# Review and tighten sudoers configuration
# Remove unnecessary yarn user privileges
# Implement least privilege access controls
Network segmentation
allIsolate Hadoop clusters from sensitive systems to limit lateral movement potential.
# Configure firewall rules to restrict Hadoop cluster network access
# Implement network segmentation between Hadoop and other systems
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from becoming yarn user
- Monitor for privilege escalation attempts and unusual yarn user activity
🔍 How to Verify
Check if Vulnerable:
Check Hadoop version using 'hadoop version' command and compare against affected ranges.Check Version:
hadoop versionVerify Fix Applied:
After patching, run 'hadoop version' to confirm version is 2.10.2+, 3.2.3+, or 3.3.2+.📡 Detection & Monitoring
Log Indicators:
- Unusual yarn user activity
- Privilege escalation attempts
- Unexpected root-level commands from yarn user context
Network Indicators:
- Unusual outbound connections from Hadoop nodes
- Unexpected network traffic patterns
SIEM Query:
source="hadoop" AND (user="yarn" AND command="sudo" OR user="root" AND source_user="yarn")🔗 References
- http://www.openwall.com/lists/oss-security/2022/06/15/2
- https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5
- https://security.netapp.com/advisory/ntap-20220722-0003/
- http://www.openwall.com/lists/oss-security/2022/06/15/2
- https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5
- https://security.netapp.com/advisory/ntap-20220722-0003/
