Login Sign Up

CVE-2022-26612

9.8 CRITICAL

📋 TL;DR

This vulnerability in Apache Hadoop allows attackers to write arbitrary files outside the intended extraction directory on Windows systems during TAR file processing. It affects Hadoop installations running on Windows where TAR extraction functionality is used, potentially leading to arbitrary file writes and remote code execution.

💻 Affected Systems

Products:
  • Apache Hadoop
Versions: All versions before 3.2.3
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows installations; Unix/Linux systems are protected by getCanonicalPath resolving symbolic links properly.

📦 What is this software?

Hadoop by Apache

View all CVEs affecting Hadoop →

Hadoop by Apache

View all CVEs affecting Hadoop →

Hadoop by Apache

View all CVEs affecting Hadoop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment on affected Windows Hadoop nodes.

🟠

Likely Case

Arbitrary file write allowing privilege escalation, configuration modification, or planting of backdoors on Windows Hadoop installations.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and file integrity monitoring are implemented.

🌐 Internet-Facing: MEDIUM - Requires TAR extraction functionality to be exposed and accessible, which is less common in internet-facing deployments.
🏢 Internal Only: HIGH - Internal Hadoop clusters processing user-uploaded TAR files on Windows nodes are significantly at risk.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to upload or process malicious TAR files through Hadoop's TAR extraction functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Hadoop 3.2.3

Vendor Advisory: https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz

Restart Required: Yes

Instructions:

1. Upgrade Apache Hadoop to version 3.2.3 or later. 2. Restart all Hadoop services. 3. Verify the upgrade was successful by checking version numbers.

🔧 Temporary Workarounds

Disable TAR extraction on Windows nodes

windows

Configure Hadoop to avoid using TAR extraction functionality on Windows systems

# Configure Hadoop to use alternative archive methods or disable tar processing

Restrict TAR file uploads

all

Implement input validation to block or sanitize TAR file uploads to Hadoop

# Implement file type validation in frontend/API layers

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Windows Hadoop nodes
  • Deploy file integrity monitoring on Windows Hadoop systems to detect unauthorized file writes

🔍 How to Verify

Check if Vulnerable:

Check Hadoop version: if running on Windows with version < 3.2.3, system is vulnerable

Check Version:

hadoop version | grep "Hadoop"

Verify Fix Applied:

Verify Hadoop version is 3.2.3 or later and confirm no symlink-based directory traversal occurs during TAR extraction tests

📡 Detection & Monitoring

Log Indicators:

  • Unusual TAR extraction patterns
  • File writes outside expected directories
  • Symlink creation in extraction directories

Network Indicators:

  • Unexpected outbound connections from Hadoop nodes post-TAR processing

SIEM Query:

source="hadoop.logs" AND ("tar extraction" OR "symlink") AND (event_type="file_write" OR event_type="directory_traversal")

📊 Metadata

CVE ID: CVE-2022-26612
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: April 7, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26612, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)