View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 4, 2019

Critical Hadoop Vulnerability Identified

A critical vulnerability in Apache Hadoop, the widely used framework for distributed processing of large data sets, requires urgent patching.

By CBR Staff Writer

Uber software engineer Ekanth Sethuramalingam he has identified a critical vulnerability in Apache Hadoop – the widely used framework for distributed processing of large data sets.

The Hadoop vulnerability, CVE-2018-11768, affects Hadoop versions 3.1.0 to 3.1.1; 3.0.0-alpha1 to 3.0.3; 2.9.0 to 2.9.1; 2.0.0-alpha to 2.8.

Describing it as involving a “a mismatch in the size of the fields used to store user/group information between memory and disk representation”, the Apache Software Foundation said the vulnerability “causes the
user/group information to be corrupted across storing in fsimage and
reading back from fsimage.”

FSimage is a file stored on the OS filesystem that contains the complete directory structure (namespace) of the Hadoop Distributed File System with details about the location of the data.

There is currently little public information available about the precise details of how to exploit the Hadoop vulnerability (Computer Business Review has contacted Sethuramalingam for further details and will update this piece when we recieve them) but given its severity, users should patch urgently.

A security list email from the ASF says users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper.

“This vulnerability fix contains a fsimage layout change, so once the image is
saved in the new layout format you cannot go back to a version that doesn’t
support the newer layout. This means that once 2.7.x users upgraded to the
fixed version, they cannot downgrade to 2.7.x because there is no fixed
version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that
contains the vulnerability fix.”

Content from our partners
Harnessing the power of low code and no code development
Signs your accounting software is no longer fit for your growing business
Incumbent banks must transform at speed, or miss the benefits of open banking

With unpatched software one of the single greatest ongoing causes of data breaches and other security issues, prompt fixes of issues like this are crucial to security hygiene.

See also: Security Firm Comodo Hacked, as vBulletin Exploit Spawns


Topics in this article: , , ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy