By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EMR 5.x status and security updates

0

We are running an application based on EMR 5.36.0, and our security scans note several "high" impact Tomcat vulnerabilities (used internally by EMR).

The last 5.x release was July 2022, and Tomcat was last updated as part of EMR in 5.35. Two questions arise:

  • Is AWS EMR 5.x officially EOL, or otherwise nearing it? (based on the long delay between releases)
  • Is there any official AWS documentation on whether the EMR cluster is affected by the specified CVEs? Or, is there a supported path to hotfix?

It appears that Tomcat is used by two features in hadoop, both of which are (apparently) running by default on our EMR cluster.

Open CVEs for Tomcat 8.5.75 include:

  • (high) CVE-2022-25762 (websockets)
  • (high) CVE-2022-42252 (request smuggling)
  • (high) CVE-2023-24998 (DoS)
  • (others)
Topics
Security, Identity, & ComplianceAnalyticsAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAmazon EMRSecurity
Language
English
abought
asked a year ago921 views
1 Answer
1

Hello,

➤ To begin with your query for "Is AWS EMR 5.x officially EOL, or otherwise nearing it"

I would like you to know that we don't remove any EMR versions and all EMR versions are available on the console, so that the customers who are working with older versions do not get impacted. Please note that Support team is not aware of timelines and the EOL of the EMR versions. However, if any of the versions is deprecated, you will be notified and it is updated on the documentation. You can check the links [1,2] for updates in EMR and EMR 5.x respectively.

➤ Further adding to the query, "Is there any official AWS documentation on whether the EMR cluster is affected by the specified CVEs? Or, is there a supported path to hotfix"

CVE-2022-25762 EMR clusters run in the customer account, and customers have full control to add or change software and configuration settings on their EMR cluster instances. When you run software provided by EMR with EMR’s default configuration settings, the issues discussed CVE-2022-25762 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25762) do not impact EMR, for more information refer links [3a,3b].

CVE-2022-42252 Regarding CVE-2022-42252 impact on EMR. Hadoop team has investigated on the below application paths as there were no application paths specified on this vulberability, for more information refer links [4a,4b]. path : /usr/lib/bigtop-tomcat/lib/ path : /usr/lib/hadoop-kms/share/hadoop/kms/tomcat/lib/

CVE-2023-24998 Fixes are still pending on this issue, and on the link[5] you can find out the status on more information.

you can check the official AWS documentation where the EMR cluster is affected by the specified CVEs in the below link;

[*] https://alas.aws.amazon.com/alas2.html

References:

[1] https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-whatsnew.html

[2] https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-release-5x.html

[3a] CVE-2022-25762 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25762

[3b] CVE-2022-25762 - https://alas.aws.amazon.com/cve/html/CVE-2022-25762.html

[4a] CVE-2022-42252 - https://www.tenable.com/plugins/nessus/166807

[4b] CVE-2022-42252 - https://alas.aws.amazon.com/cve/html/CVE-2022-42252.html

[5] CVE-2023-24998 - https://explore.alas.aws.amazon.com/CVE-2023-24998.html

AWS
Ltlaksh
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content