1883549 – (CVE-2018-11765) CVE-2018-11765 hadoop: Potential information disclosure in Hadoop Web interfaces

Bug 1883549 (CVE-2018-11765) - CVE-2018-11765 hadoop: Potential information disclosure in Hadoop Web interfaces

Summary: CVE-2018-11765 hadoop: Potential information disclosure in Hadoop Web interfaces

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-11765
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1883550
TreeView+	depends on / blocked

Reported:	2020-09-29 14:35 UTC by Michael Kaplan
Modified:	2021-02-16 19:10 UTC (History)
CC List:	23 users (show)
Fixed In Version:	Hadoop 2.10.0, Hadoop 3.0.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-08 14:21:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2020-09-29 14:35:02 UTC

Description:
When Kerberos authentication is enabled and SPNEGO through HTTP is not
enabled, any users can access some servlets without authentication.

Mitigation:
Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If you
are using the affected version of Apache Hadoop, you need to enable
SPNEGO through HTTP.


Versions affected:
3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5

Comment 1 Michael Kaplan 2020-09-29 14:35:08 UTC

External References:

https://seclists.org/oss-sec/2020/q3/198

Comment 3 Przemyslaw Roguski 2020-10-05 09:05:37 UTC

Upstream patch:
https://github.com/apache/hadoop/commit/94b0df839d36cf5d5e927b3642566c67d0689474

Comment 4 Przemyslaw Roguski 2020-10-05 11:13:02 UTC

In OpenShift Container Platform the hadoop-container uses Hadoop 3.1.1.redhat-00002 (hadoop 3.1.1 + patches).
Not affected by this flaw.

Comment 5 Przemyslaw Roguski 2020-10-05 11:13:07 UTC

Mitigation:

Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If it is not possible and affected version of Apache Hadoop is used,  SPNEGO through HTTP should be enabled.

Comment 6 Przemyslaw Roguski 2020-10-06 08:31:02 UTC

Originally issue was introduced here:
https://issues.apache.org/jira/browse/HADOOP-13707

Comment 7 Product Security DevOps Team 2020-10-08 14:21:13 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-11765

Note You need to log in before you can comment on or make changes to this bug.

aileenc
bchilds
bmontgom
chazlett
drieden
eparis
ggaughan
gmalinko
janstey
jburrell
jochrist
jokerman
jolee
jschatte
jstastny
jwon
nstielau
pjindal
sd-operator-metering
sponnaga
tflannag
vbellur
vhalbert