[GHSA-94jh-j374-9r3j] Refining Attack Requirement to Reflect Dependency on Physical Host for Successful Exploitation

[anonymous-nlp-student]

I am collaborating with @vulnerability-analyst to enhance the accuracy of the OSS vulnerability advisories.

In alignment with the feedback from @shelbyc in this PR, the Attack Requirement (AT) should be updated to P (Present) rather than the erroneous N (None). This is because if the attacker submits a job to the container, he/she will not gain the root privileges.

If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.

The sentence underlined above represents the “specific deployment and execution conditions” required for a successful attack, as defined in the CVSS 4 specification:

The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack.

Overall, this vulnerability describes the following scenario:

• The vulnerability allows a local attacker to create a malicious libcrypto.so library and place it in a writable directory within the modified search path $ORIGIN/:../lib/native/. When the container-executor binary (which requires root privileges) is invoked, it may load the attacker’s malicious library instead of the legitimate libcrypto.so.
• For a remote attacker, successful exploitation is possible only if the YARN cluster executes user-submitted jobs directly on the physical host rather than within a container. If the attacker has access only to a containerized environment, the attack will fail.