Login Sign Up

CVE-2023-26031

7.5 HIGH

📋 TL;DR

This vulnerability allows local users to escalate privileges to root by exploiting relative library resolution in Apache Hadoop's container-executor binary. Remote authenticated users can also gain root access if the YARN cluster accepts their work. Affects Hadoop installations using YARN Secure Containers on Linux systems.

💻 Affected Systems

Products:
  • Apache Hadoop
Versions: 3.3.1 through 3.3.4
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using YARN Secure Containers with container-executor binary owned by root and SUID bit set.

📦 What is this software?

Hadoop by Apache

View all CVEs affecting Hadoop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote authenticated attacker gains full root access to the Hadoop host, enabling complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Local user or compromised service account escalates to root privileges, potentially compromising the entire Hadoop cluster and sensitive data.

🟢

If Mitigated

Attack fails due to proper file permissions or container isolation, but system remains vulnerable to other attack vectors.

🌐 Internet-Facing: MEDIUM - Requires authenticated remote access to YARN cluster, but exploitation leads to root compromise.
🏢 Internal Only: HIGH - Local users or compromised service accounts can easily exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires write access to a directory in the library search path and ability to execute container-executor.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.5

Vendor Advisory: https://hadoop.apache.org/cve_list.html

Restart Required: Yes

Instructions:

1. Upgrade to Hadoop 3.3.5 or later. 2. Replace container-executor binary with patched version. 3. Restart all YARN services. 4. Verify SUID bit is removed if not using Secure Containers.

🔧 Temporary Workarounds

Remove SUID bit from container-executor

linux

Disables YARN Secure Containers but prevents privilege escalation

chmod u-s /path/to/hadoop/bin/container-executor

Change ownership to non-root user

linux

Prevents root execution while maintaining some functionality

chown yarn:hadoop /path/to/hadoop/bin/container-executor

🧯 If You Can't Patch

  • Remove SUID bit from container-executor binary immediately
  • Isolate Hadoop nodes from sensitive systems and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Run: readelf -d /path/to/hadoop/bin/container-executor | grep -E 'RUNPATH|RPATH' | grep -q '../lib/native/' && echo 'VULNERABLE'

Check Version:

hadoop version | grep 'Hadoop'

Verify Fix Applied:

Run: readelf -d /path/to/hadoop/bin/container-executor | grep -E 'RUNPATH|RPATH' | grep -q '../lib/native/' || echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

  • Unusual library loading errors in YARN logs
  • Suspicious container-executor executions with unexpected libraries

Network Indicators:

  • Unusual outbound connections from Hadoop nodes post-exploitation

SIEM Query:

process_name:"container-executor" AND (library_load:"../lib/native/" OR parent_process:unusual_user)

📊 Metadata

CVE ID: CVE-2023-26031
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: November 16, 2023
Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26031, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2022-26184 9.8

CVE-2022-26184 is an untrusted search path vulnerability in Poetry package manager versions 1.1.9 an...

Same vulnerability type (CWE-426)