CVE-2024-23454
Information Disclosure vulnerability in hadoop-common (Maven)
What is CVE-2024-23454 About?
Apache Hadoop's `RunJar.run()` function creates temporary directories without setting appropriate permissions, leading to information disclosure. This allows other local users to view sensitive data stored in these temporary files. Exploitation is simple and requires only local access.
Affected Software
Technical Details
The RunJar.run() method in Apache Hadoop, when creating temporary directories for its operations, fails to explicitly set POSIX permissions for these directories. By default, on Unix-like operating systems, files and directories created in common system temporary directories (like /tmp) are often readable by all local users unless specific permissions are applied. Consequently, if RunJar.run() processes sensitive data within these temporary directories, any other local user on the same system can access and read the content of these files, leading to an unauthorized information disclosure. The vulnerability stems from the absence of a umask or chmod operation to restrict access rights.
What is the Impact of CVE-2024-23454?
Successful exploitation may allow attackers to access sensitive data, such as configuration files, user data, or temporary processing results, leading to unauthorized information disclosure and potential further attacks.
What is the Exploitability of CVE-2024-23454?
Exploiting this vulnerability is straightforward and requires minimal complexity. The primary prerequisite is local access to the system running Apache Hadoop. No authentication is needed to view the permissions of the temporary directory or its contents, as it relies on default system behavior. Similarly, no special privileges are required beyond standard user access to the local file system. This is a local vulnerability; remote exploitation is not directly possible without pre-existing access to the system. There are no special conditions or constraints other than the existence of sensitive data being processed by RunJar.run() and stored in the insecure temporary directory. The risk of exploitation increases in multi-user environments where multiple users can log in to the same machine.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-23454?
Available Upgrade Options
- org.apache.hadoop:hadoop-common
- <3.4.0 → Upgrade to 3.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/hadoop
- https://security.netapp.com/advisory/ntap-20241101-0002
- https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64
- https://osv.dev/vulnerability/GHSA-f5fw-25gw-5m92
- https://security.netapp.com/advisory/ntap-20241101-0002/
- https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs
- https://issues.apache.org/jira/browse/HADOOP-19031
- https://issues.apache.org/jira/browse/HADOOP-19031
- http://www.openwall.com/lists/oss-security/2024/09/25/1
- http://www.openwall.com/lists/oss-security/2024/09/25/1
What are Similar Vulnerabilities to CVE-2024-23454?
Similar Vulnerabilities: CVE-2024-21010 , CVE-2023-48092 , CVE-2023-47000 , CVE-2023-44820 , CVE-2023-38407
