View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 4, 2019

Critical Hadoop Vulnerability Identified

A critical vulnerability in Apache Hadoop, the widely used framework for distributed processing of large data sets, requires urgent patching.

By CBR Staff Writer

Uber software engineer Ekanth Sethuramalingam he has identified a critical vulnerability in Apache Hadoop – the widely used framework for distributed processing of large data sets.

The Hadoop vulnerability, CVE-2018-11768, affects Hadoop versions 3.1.0 to 3.1.1; 3.0.0-alpha1 to 3.0.3; 2.9.0 to 2.9.1; 2.0.0-alpha to 2.8.

Describing it as involving a “a mismatch in the size of the fields used to store user/group information between memory and disk representation”, the Apache Software Foundation said the vulnerability “causes the
user/group information to be corrupted across storing in fsimage and
reading back from fsimage.”

FSimage is a file stored on the OS filesystem that contains the complete directory structure (namespace) of the Hadoop Distributed File System with details about the location of the data.

There is currently little public information available about the precise details of how to exploit the Hadoop vulnerability (Computer Business Review has contacted Sethuramalingam for further details and will update this piece when we recieve them) but given its severity, users should patch urgently.

A security list email from the ASF says users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper.

“This vulnerability fix contains a fsimage layout change, so once the image is
saved in the new layout format you cannot go back to a version that doesn’t
support the newer layout. This means that once 2.7.x users upgraded to the
fixed version, they cannot downgrade to 2.7.x because there is no fixed
version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that
contains the vulnerability fix.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

With unpatched software one of the single greatest ongoing causes of data breaches and other security issues, prompt fixes of issues like this are crucial to security hygiene.

See also: Security Firm Comodo Hacked, as vBulletin Exploit Spawns

 

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU