CVE-2023-26031 Overview
CVE-2023-26031 is a privilege escalation vulnerability in the Apache Hadoop container-executor binary that affects versions 3.3.1 through 3.3.4 on Linux systems. The vulnerability stems from an insecure relative library resolution path that allows local users to gain root privileges. In YARN clusters accepting work from remote authenticated users, this vulnerability may permit remote privilege escalation to root.
The vulnerability was introduced in Hadoop 3.3.0 when the YARN Secure Containers feature was updated to enable executing user-submitted applications in isolated Linux containers. The native binary HADOOP_HOME/bin/container-executor is used to launch these containers and must be owned by root with the SUID bit set for YARN processes to run containers as specific users submitting jobs.
Critical Impact
Local and potentially remote authenticated users can achieve root-level privilege escalation by exploiting insecure library loading paths in the container-executor SUID binary.
Affected Products
- Apache Hadoop 3.3.1
- Apache Hadoop 3.3.2
- Apache Hadoop 3.3.3
- Apache Hadoop 3.3.4
Discovery Timeline
- 2023-11-16 - CVE-2023-26031 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-26031
Vulnerability Analysis
This vulnerability is classified as CWE-426 (Untrusted Search Path), a security weakness that occurs when an application searches for critical resources using an externally-supplied search path that can point to resources not under the application's direct control.
The patch YARN-10495 modified the library loading path (RPATH/RUNPATH) of the container-executor binary from $ORIGIN/ to $ORIGIN/:../lib/native/. This change was intended to make the rpath configurable but inadvertently introduced a security vulnerability by allowing library resolution through relative paths.
The container-executor binary loads shared libraries, including libcrypto.so, using this modified search path. Because the binary runs as root (due to the SUID bit), any library loaded during execution also runs with root privileges.
Root Cause
The root cause is the modification of the dynamic linker search path to include relative directory traversal (../lib/native/). When combined with the SUID bit requirement for the container-executor binary, this creates an exploitable condition where:
- The container-executor binary must be owned by root with SUID bit set for legitimate YARN secure container functionality
- The modified RUNPATH includes ../lib/native/ which resolves relative to the binary's location
- A local user with write access to directories in the resolution path can place a malicious shared library (e.g., libcrypto.so) that will be loaded by the SUID root binary
Attack Vector
The attack exploits the network-accessible YARN service but requires authenticated access. An attacker with valid credentials can submit a malicious job to the YARN cluster. If job execution occurs on the physical host rather than within an isolated container, the attacker can:
- Identify or create a writable directory that falls within the relative library search path
- Plant a malicious libcrypto.so shared library in that location
- Trigger execution of the container-executor binary
- Achieve code execution as root when the malicious library is loaded
Administrators can check if their installation is vulnerable using the readelf command to inspect the binary's RUNPATH:
# Vulnerable configuration shows relative path
$ readelf -d container-executor | grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/:../lib/native/]
# Safe configuration shows only $ORIGIN
$ readelf -d container-executor | grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/]
Detection Methods for CVE-2023-26031
Indicators of Compromise
- Presence of unexpected or recently modified libcrypto.so files in directories relative to the Hadoop binary path
- Unusual processes spawned by container-executor with root privileges
- Suspicious shared library files in /opt/hadoop/lib/native/ or adjacent directories
- Unauthorized modifications to Hadoop installation directories
Detection Strategies
- Monitor file system changes in Hadoop installation directories, particularly for new .so files
- Audit container-executor invocations and correlate with expected YARN job submissions
- Implement file integrity monitoring (FIM) on the Hadoop binary and library directories
- Review authentication logs for unusual YARN job submissions from unexpected users
Monitoring Recommendations
- Enable enhanced logging for YARN resource manager and node manager components
- Configure alerts for privilege escalation attempts detected by endpoint security solutions
- Monitor for unexpected root-level process execution originating from Hadoop services
- Track changes to SUID binaries and their associated library paths using system auditing tools
How to Mitigate CVE-2023-26031
Immediate Actions Required
- Upgrade Apache Hadoop to version 3.3.5 or later, which contains the fix in YARN-11441
- Verify the container-executor binary RUNPATH using readelf -d container-executor | grep 'RUNPATH\|RPATH'
- Review and restrict write permissions to directories in the Hadoop installation path
- Audit YARN cluster access controls and authentication mechanisms
Patch Information
The fix for this vulnerability is implemented in YARN-11441, which reverts the problematic YARN-10495 change. This patch is included in Apache Hadoop version 3.3.5 and later. Organizations should upgrade to the patched version as the primary remediation strategy.
For additional information, refer to the Apache Hadoop CVE List and the Apache Mailing List Discussion.
Workarounds
- Remove the SUID bit from the container-executor binary if YARN Secure Containers are not required
- Change ownership of container-executor from root to a less privileged user (disables Secure Containers functionality)
- Restrict network access to the YARN cluster to trusted internal networks only
- Implement strict directory permissions to prevent unauthorized write access to library search paths
# Remove SUID bit (disables Secure Containers but mitigates vulnerability)
chmod u-s /opt/hadoop/bin/container-executor
# Change ownership away from root (alternative mitigation)
chown yarn:hadoop /opt/hadoop/bin/container-executor
# Verify safe configuration
ls -laF /opt/hadoop/bin/container-executor
# Expected output (safe): -rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
