You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hadoop.apache.org by Akira Ajisaka <aa...@apache.org> on 2019/10/04 01:31:16 UTC

CVE-2018-11768: HDFS FSImage Corruption

CVE-2018-11768: HDFS FSImage Corruption


Severity: Critical


Vendor: The Apache Software Foundation


Versions affected:

3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4


Description:

There is a mismatch in the size of the fields used to store user/group
information between memory and disk representation. This causes the
user/group information to be corrupted across storing in fsimage and
reading back from fsimage.


Mitigation:

Users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper. This
vulnerability fix contains a fsimage layout change, so once the image is
saved in the new layout format you cannot go back to a version that doesn’t
support the newer layout. This means that once 2.7.x users upgraded to the
fixed version, they cannot downgrade to 2.7.x because there is no fixed
version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that
contains the vulnerability fix.


Credit:

This issue was discovered by Ekanth Sethuramalingam.