Bug 1764650 (CVE-2018-11768) - CVE-2018-11768 hadoop: user/group information corruption through fsimage storing and reading
Summary: CVE-2018-11768 hadoop: user/group information corruption through fsimage stor...
Alias: CVE-2018-11768
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1764651 1776635 1776640 1777130
Blocks: 1764652
TreeView+ depends on / blocked
Reported: 2019-10-23 14:14 UTC by Pedro Sampaio
Modified: 2021-10-25 22:11 UTC (History)
28 users (show)

Fixed In Version: Apache Hadoop 2.8.5, Apache Hadoop 2.9.2, Apache Hadoop 3.1.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-25 22:11:29 UTC

Attachments (Terms of Use)

Comment 1 Pedro Sampaio 2019-10-23 14:14:36 UTC
Created hadoop tracking bugs for this issue:

Affects: fedora-all [bug 1764651]

Comment 3 Jason Shepherd 2019-11-26 05:29:09 UTC

Hadoop is included in OpenShift Container Platform 4.2 and later as part of the metering operator. It's an optional feature that is not installed by default.

Comment 8 Paramvir jindal 2019-12-17 09:30:54 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 12 Jonathan Christison 2020-08-25 13:37:13 UTC
Marking Red Hat Jboss Fuse 7 as having a low impact, Fuse 7 distributes affected artifacts of hadoop hdfs, however its use in Fuse 7 camel-hdfs2 does not call upon the affected hdfs server components. We advise customers using hadoop to investigate the usage of the hadoop server/Datanodes and ensure it is safe.

Note You need to log in before you can comment on or make changes to this bug.