oss-sec mailing list archives
CVE-2018-11768: Apache Hadoop HDFS FSImage Corruption
From: Akira Ajisaka <aajisaka () apache org>
Date: Fri, 4 Oct 2019 10:33:25 +0900
CVE-2018-11768: HDFS FSImage Corruption Severity: Critical Vendor: The Apache Software Foundation Versions affected: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4 Description: There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage. Mitigation: Users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper. This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix. Credit: This issue was discovered by Ekanth Sethuramalingam.
Current thread:
- CVE-2018-11768: Apache Hadoop HDFS FSImage Corruption Akira Ajisaka (Oct 04)