Date: Fri, 4 Oct 2019 10:33:25 +0900 From: Akira Ajisaka <aajisaka@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2018-11768: Apache Hadoop HDFS FSImage Corruption CVE-2018-11768: HDFS FSImage Corruption Severity: Critical Vendor: The Apache Software Foundation Versions affected: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4 Description: There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage. Mitigation: Users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper. This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix. Credit: This issue was discovered by Ekanth Sethuramalingam.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.