Description: When Kerberos authentication is enabled and SPNEGO through HTTP is not enabled, any users can access some servlets without authentication. Mitigation: Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If you are using the affected version of Apache Hadoop, you need to enable SPNEGO through HTTP. Versions affected: 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5
External References: https://seclists.org/oss-sec/2020/q3/198
Upstream patch: https://github.com/apache/hadoop/commit/94b0df839d36cf5d5e927b3642566c67d0689474
In OpenShift Container Platform the hadoop-container uses Hadoop 3.1.1.redhat-00002 (hadoop 3.1.1 + patches). Not affected by this flaw.
Mitigation: Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If it is not possible and affected version of Apache Hadoop is used, SPNEGO through HTTP should be enabled.
Originally issue was introduced here: https://issues.apache.org/jira/browse/HADOOP-13707
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11765