CVE-2018-11768: Apache Hadoop HDFS FSImage Corruption

[Akira Ajisaka <aajisaka () apache org>]

CVE-2018-11768: HDFS FSImage Corruption


Severity: Critical


Vendor: The Apache Software Foundation


Versions affected:

3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4


Description:

There is a mismatch in the size of the fields used to store user/group
information between memory and disk representation. This causes the
user/group information to be corrupted across storing in fsimage and
reading back from fsimage.


Mitigation:

Users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper. This
vulnerability fix contains a fsimage layout change, so once the image is
saved in the new layout format you cannot go back to a version that doesn’t
support the newer layout. This means that once 2.7.x users upgraded to the
fixed version, they cannot downgrade to 2.7.x because there is no fixed
version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that
contains the vulnerability fix.


Credit:

This issue was discovered by Ekanth Sethuramalingam.