In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Reference: https://lists.apache.org/thread.html/3d6831c3893cd27b6850aea2feff7d536888286d588e703c6ffd2e82@%3Cuser.hadoop.apache.org%3E
Created hadoop tracking bugs for this issue: Affects: fedora-all [bug 1795323]
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
The container openshift4/ose-metering-hadoop is packaged with OpenShift 4.x and does not contain a vulnerable version of Hadoop (3.1.1).
rhs-hadoop is a GlusterFS Hadoop Plug-in which provides Hadoop FileSystem support for GlusterFS, and is different from actual apache hadoop. Also, rhs-hadoop is no more supported, as support for Hortonworks Data Platform (HDP) on Red Hat Gluster Storage integrated using the Hadoop Plug-In is deprecated.
Further the openshift4/ose-metering-hadoop container does not run yarn in any resource/job management or privileged role (like normal Apache Hadoop). Instead included for is HDFS support.
Hadoop is used to build satellite-doc-indexes, i.e. to build lucene index files to search documentation. Not able to find Hadoop and Yarn combination on Satellite 5.8, marking it as a not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-8029