SCA: security update for org.apache.hadoop:hadoop-common (GHSA-gx2c-fvhc-ph4j)

critical Tenable Cloud Security Plugin ID 415363

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility
on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction
directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into
the external directory using the symlink name. This however would be caught by the same targetDirPath
check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve
symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which
allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
(CVE-2022-26612)

See Also

https://github.com/advisories/GHSA-gx2c-fvhc-ph4j

Plugin Details

Severity: Critical

ID: 415363

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.98

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-26612

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/8/2022

Vulnerability Publication Date: 4/7/2022

Reference Information

CVE: CVE-2022-26612

cwe: CWE-22