You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by Kyle Gerald Lamkin <Ky...@ibm.com> on 2019/10/29 16:29:34 UTC

CVE-2018-11768 in regards to Solr

Hello Solr Devs,



I'm looking for some information about CVE-2018-11768, a Hadoop vulnerability.
In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the closest fixed
version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not affected.



I was unable to find an Jira item for this, should I open one for it or is it
not applicable?



Thanks for your time.





Regards,



**Kyle (K.G.)  Lamkin**  
  
---  
  
* * *  
  
---  
E-mail: [Kyle.Lamkin@ibm.com](mailto:Kyle.Lamkin@ibm.com)  
  


  
\--------------------------------------------------------------------- To
unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional
commands, e-mail: dev-help@lucene.apache.org

RE: CVE-2018-11768 in regards to Solr

Posted by Bradley Parker <br...@ca.ibm.com>.

Awesome, thanks for the response Kevin we really appreciate it!



**Bradley Parker**  
Security Developer  
IBM Security Systems (QRadar)  
bradpark@ca.ibm.com  
  
 **IBM  Security **





> \----- Original message -----  
> From: Kevin Risden <kr...@apache.org>  
> To: dev@lucene.apache.org  
> Cc: Bradley Parker <br...@ca.ibm.com>  
> Subject: [EXTERNAL] Re: CVE-2018-11768 in regards to Solr  
> Date: Tue, Oct 29, 2019 2:02 PM  
>  
>

> Solr interacts with Hadoop only as a client. (except in integration tests).
From the <https://hadoop.apache.org/cve_list.html> page, this looks like it is
only an issue in the fsimage which is server side for the Namenode. I don't
think that CVE-2018-11768 applies to Solr directly.  
>  
> CVE-2018-11768 Apache Hadoop HDFS FSImage Corruption  
> There is a mismatch in the size of the fields used to store user/group
information between memory and disk representation. This causes the user/group
information to be corrupted across storing in fsimage and reading back from
fsimage.  
>  
> This vulnerability fix contains a fsimage layout change, so once the image
is saved in the new layout format you cannot go back to a version that doesn’t
support the newer layout. This means that once 2.7.x users upgraded to the
fixed version, they cannot downgrade to 2.7.x because there is no fixed
version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains
the vulnerability fix.

>

>  
>

> Kevin Risden

>

>  
>

> On Tue, Oct 29, 2019 at 12:52 PM Kyle Gerald Lamkin
<[Kyle.Lamkin@ibm.com](mailto:Kyle.Lamkin@ibm.com)> wrote:

>

>> Hello Solr Devs,

>>

>>  
>>

>> I'm looking for some information about CVE-2018-11768, a Hadoop
vulnerability. In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the
closest fixed version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not
affected.

>>

>>  
>>

>> I was unable to find an Jira item for this, should I open one for it or is
it not applicable?

>>

>>  
>>

>> Thanks for your time.

>>

>>  
>>

>>  
>>

>> Regards,

>>

>>  
>>

>> **Kyle (K.G.)  Lamkin**  
>>  
>> ---  
>>  
>> * * *  
>>  
>> ---  
>> E-mail: [Kyle.Lamkin@ibm.com](mailto:Kyle.Lamkin@ibm.com)  
>>  
>>  
>>

>>  
> \--------------------------------------------------------------------- To
unsubscribe, e-mail: [dev-unsubscribe@lucene.apache.org](mailto:dev-
unsubscribe@lucene.apache.org) For additional commands, e-mail: [dev-
help@lucene.apache.org](mailto:dev-help@lucene.apache.org)



  
\--------------------------------------------------------------------- To
unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional
commands, e-mail: dev-help@lucene.apache.org

Re: CVE-2018-11768 in regards to Solr

Posted by Kevin Risden <kr...@apache.org>.

Solr interacts with Hadoop only as a client. (except in integration tests).
From the https://hadoop.apache.org/cve_list.html page, this looks like it
is only an issue in the fsimage which is server side for the Namenode. I
don't think that CVE-2018-11768 applies to Solr directly.

CVE-2018-11768 Apache Hadoop HDFS FSImage Corruption
There is a mismatch in the size of the fields used to store user/group
information between memory and disk representation. This causes the
user/group information to be corrupted across storing in fsimage and
reading back from fsimage.

This vulnerability fix contains a fsimage layout change, so once the image
is saved in the new layout format you cannot go back to a version that
doesn’t support the newer layout. This means that once 2.7.x users upgraded
to the fixed version, they cannot downgrade to 2.7.x because there is no
fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that
contains the vulnerability fix.

Kevin Risden

On Tue, Oct 29, 2019 at 12:52 PM Kyle Gerald Lamkin <Ky...@ibm.com>
wrote:

> Hello Solr Devs,
>
>
>
> I'm looking for some information about CVE-2018-11768, a Hadoop
> vulnerability. In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the
> closest fixed version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not
> affected.
>
>
>
> I was unable to find an Jira item for this, should I open one for it or is
> it not applicable?
>
>
>
> Thanks for your time.
>
>
> Regards,
>
> *Kyle (K.G.) Lamkin*
> ------------------------------
> E-mail: Kyle.Lamkin@ibm.com
>
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional
> commands, e-mail: dev-help@lucene.apache.org