RE: CVE-2018-11768 in regards to Solr

Thu, 31 Oct 2019 05:46:32 -0700

Awesome, thanks for the response Kevin we really appreciate it!
 
Bradley Parker
Security Developer
IBM Security Systems (QRadar)
bradp...@ca.ibm.com

IBM Security
 
 
----- Original message -----
From: Kevin Risden <kris...@apache.org>
To: dev@lucene.apache.org
Cc: Bradley Parker <bradp...@ca.ibm.com>
Subject: [EXTERNAL] Re: CVE-2018-11768 in regards to Solr
Date: Tue, Oct 29, 2019 2:02 PM
 
Solr interacts with Hadoop only as a client. (except in integration tests). From the https://hadoop.apache.org/cve_list.html page, this looks like it is only an issue in the fsimage which is server side for the Namenode. I don't think that CVE-2018-11768 applies to Solr directly.

CVE-2018-11768 Apache Hadoop HDFS FSImage Corruption
There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage.

This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix.
 
Kevin Risden
 
On Tue, Oct 29, 2019 at 12:52 PM Kyle Gerald Lamkin <kyle.lam...@ibm.com> wrote:

Hello Solr Devs,

 

I'm looking for some information about CVE-2018-11768, a Hadoop vulnerability. In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the closest fixed version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not affected.

 

I was unable to find an Jira item for this, should I open one for it or is it not applicable?

 

Thanks for your time.

 
 
Regards,
 
Kyle (K.G.) Lamkin
E-mail: kyle.lam...@ibm.com
 

--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
 

--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to