CVE-2018-11768: HDFS FSImage Corruption
Severity: Critical Vendor: The Apache Software Foundation Versions affected: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4 Description: There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage. Mitigation: Users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper. This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix. Credit: This issue was discovered by Ekanth Sethuramalingam.