Per Apache security vulnerability report policy https://www.apache.org/security/committers.html we do not make public JIRAs for vulnerability reports.
The CVE itself has nothing to do with rollbacks. However, the fix itself changes fsimage format and you won't be able to rollback to a 2.7 version. On Fri, Oct 4, 2019 at 7:25 AM Clay Baenziger (BLOOMBERG/ 731 LEX) < cbaenzi...@bloomberg.net> wrote: > -General@ > +HDFS-dev@ > Hi Akira, > > Thanks for pointing out this CVE before my users come asking. Would you be > able to point to a JIRA ticket describing this issue? I see a few[1] which > look to align roughly to the release but do not grok why they would trigger > a CVE[2]. Also is this CVE only to do with the inability of rolling-back to > a 2.7.x release? > > -Clay > > [1]: Tickets which seem to be similar: > > *HDFS-13314 - NameNode should optionally exit if it detects FsImage > corruption > *HDFS-13101 - Yet another fsimage corruption related to snapshot > *HDFS-13596 - NN restart fails after RollingUpgrade from 2.x to 3.x > *[2]: I am under the impression CVE's were to track security related > vulnerabilities? > > From: aajis...@apache.org At: 10/03/19 21:30:33To: > gene...@hadoop.apache.org, secur...@hadoop.apache.org > Subject: CVE-2018-11768: HDFS FSImage Corruption > > CVE-2018-11768: HDFS FSImage Corruption > > > Severity: Critical > > > Vendor: The Apache Software Foundation > > > Versions affected: > > 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4 > > > Description: > > There is a mismatch in the size of the fields used to store user/group > information between memory and disk representation. This causes the > user/group information to be corrupted across storing in fsimage and > reading back from fsimage. > > > Mitigation: > > Users should upgrade to Apache Hadoop 2.8.5, 2.9.2, 3.1.2 or upper. This > vulnerability fix contains a fsimage layout change, so once the image is > saved in the new layout format you cannot go back to a version that doesn’t > support the newer layout. This means that once 2.7.x users upgraded to the > fixed version, they cannot downgrade to 2.7.x because there is no fixed > version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that > contains the vulnerability fix. > > > Credit: > > This issue was discovered by Ekanth Sethuramalingam. > > >
