The YARN resource manager of Apache Hadoop has a default configuration that allows the unauthenticated execution of arbitrary commands. This vulnerability has been used by the Xbash ransomware as a method of propagation.
- An attacker sends an HTTP POST request to the vulnerable Hadoop YARN service to create a new application.
- The server replies with an HTTP 200 OK and the ID of the newly created application.
- The attacker sends an HTTP POST request with the application ID and arbitrary commands.
- The server executes the arbitrary commands and replies with HTTP 202 Accepted.
Authentication is not required by Kerberos or a proxy.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.