diff --git a/misconfiguration/hadoop-unauth-rce.yaml b/misconfiguration/hadoop-unauth-rce.yaml new file mode 100644 index 0000000000..53efb92b00 --- /dev/null +++ b/misconfiguration/hadoop-unauth-rce.yaml @@ -0,0 +1,33 @@ +id: hadoop-unauth-rce + +info: + name: Apache Hadoop - Yarn ResourceManager Remote Code Execution + author: pdteam,Couskito + severity: critical + description: | + An unauthenticated Hadoop Resource Manager was discovered, which allows remote code execution by design. + reference: + - http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hadoop_unauth_exec.rb + - https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn + - https://github.com/Al1ex/Hadoop-Yarn-ResourceManager-RCE + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cwe-id: CWE-306 + tags: apache,hadoop,unauth,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/ws/v1/cluster/apps/new-application" + + matchers-condition: and + matchers: + - type: word + words: + - '"application-id"' + + - type: status + status: + - 200 \ No newline at end of file diff --git a/misconfiguration/hadoop-unauth.yaml b/misconfiguration/hadoop-unauth.yaml deleted file mode 100644 index 507e54a6f2..0000000000 --- a/misconfiguration/hadoop-unauth.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: hadoop-unauth - -info: - name: Apache Hadoop Unauth - author: pdteam - severity: low - tags: apache,hadoop,unauth - -requests: - - method: GET - path: - - '{{BaseURL}}/ws/v1/cluster/info' - - '{{BaseURL}}/ws/v1/cluster/apps/new-application' - - matchers-condition: or - matchers: - - type: word - words: - - 'hadoopVersion' - - 'resourceManagerVersionBuiltOn' - condition: and - - - type: word - words: - - 'javax.ws.rs.WebApplicationException'