1764650 – (CVE-2018-11768) CVE-2018-11768 hadoop: user/group information corruption through fsimage storing and reading

Bug 1764650 (CVE-2018-11768) - CVE-2018-11768 hadoop: user/group information corruption through fsimage storing and reading

Summary: CVE-2018-11768 hadoop: user/group information corruption through fsimage stor...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-11768
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1764651 1776635 1776640 1777130
Blocks:	1764652
TreeView+	depends on / blocked

Reported:	2019-10-23 14:14 UTC by Pedro Sampaio
Modified:	2021-10-25 22:11 UTC (History)
CC List:	28 users (show)
Fixed In Version:	Apache Hadoop 2.8.5, Apache Hadoop 2.9.2, Apache Hadoop 3.1.2
Clone Of:
Environment:
Last Closed:	2021-10-25 22:11:29 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2019-10-23 14:14:17 UTC

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.

References:

https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E
https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E
https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E
https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E
https://lists.apache.org/thread.html/f20bb4e055d8394fc525cc7772fb84096f706389043e76220c8a29a4@%3Chdfs-dev.hadoop.apache.org%3E

Comment 1 Pedro Sampaio 2019-10-23 14:14:36 UTC

Created hadoop tracking bugs for this issue:

Affects: fedora-all [bug 1764651]

Comment 3 Jason Shepherd 2019-11-26 05:29:09 UTC

Statement:

Hadoop is included in OpenShift Container Platform 4.2 and later as part of the metering operator. It's an optional feature that is not installed by default.

Comment 8 Paramvir jindal 2019-12-17 09:30:54 UTC

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 12 Jonathan Christison 2020-08-25 13:37:13 UTC

Marking Red Hat Jboss Fuse 7 as having a low impact, Fuse 7 distributes affected artifacts of hadoop hdfs, however its use in Fuse 7 camel-hdfs2 does not call upon the affected hdfs server components. We advise customers using hadoop to investigate the usage of the hadoop server/Datanodes and ensure it is safe.

Note You need to log in before you can comment on or make changes to this bug.

aileenc
bigdata-qe-bugs
bkearney
bmontgom
chazlett
ctubbsii
denis.arnaud_fedora
drieden
eparis
extras-orphan
ggaughan
hvyas
janstey
jburrell
jochrist
jokerman
jolee
jschatte
jstastny
jwon
milleruntime
nstielau
rhs-bugs
sd-operator-metering
sisharma
sponnaga
tflannag
tlestach