Security Bulletin: IBM Spectrum Scale (GPFS) Hadoop connector is affected by a security vulnerability (CVE-2022-25168)

Summary

A security vulnerability has been identified in the IBM Spectrum Scale (GPFS) Hadoop connector which could allow a local authenticated attacker to execute arbitrary commands on the system. Fix for this vulnerability is available.

Vulnerability Details

CVEID:CVE-2022-25168
**DESCRIPTION:**Apache Hadoop could allow a local authenticated attacker to execute arbitrary commands on the system, caused by improper input file name validation by the FileUtil.unTar(File, File) API. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232807 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Users of the IBM Spectrum Scale (GPFS) Hadoop connector should upgrade to 3.2.2-2+ available with Spectrum Scale 5.1.5.1 and onwards.

<https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General Parallel File System (GPFS)/page/Hadoop Connector Download %26 Info&gt;

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.5&platform=All&function=all

Workarounds and Mitigations

None