title: Hadoop CVE List menu: main: name: “Published CVEs” parent: “community”

This page lists security fixes that the Hadoop PMC felt warranted a CVE. If you think something is missing from this list or if you think the set of impacted or fixed versions is incomplete then please ask on the Security list.

CVEs are presented in most-recent-first order of announcement.

CVE-2020-9492 Apache Hadoop Potential privilege escalation

WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. A crafty user can trigger services to send server credentials to a webhdfs path for capturing the service principal.

Users of the affected versions should apply either of the following mitigations:

  • Set different http signature secrets and use dedicated hosts for each privileged impersonation service (such as HiveServer2).
  • Upgrade to 3.3.0, 3.2.2, 3.1.4, 2.10.1, or newer with TLS encryption enabled and configure dfs.http.policy to HTTPS_ONLY.
  • Versions affected: 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0
  • Fixed versions: 3.2.2, 3.1.4, 2.10.1
  • Impact: privilege escalation
  • Reporter: Kevin Risden
  • Reported Date: 2020/03/17
  • Issue Announced: 2021/01/26 (general@hadoop)

CVE-2018-11764 Apache Hadoop Privilege escalation in web endpoint

Web endpoint authentication check is broken. Authenticated users may impersonate any user even if no proxy user is configured.

  • Versions affected: 3.0.0-alpha4, 3.0.0-beta1, 3.0.0
  • Fixed versions: 3.0.1
  • Impact: privilege escalation
  • Reporter: Daryn Sharp
  • Reported Date: 2018/03/17
  • Issue Announced: 2020/10/21 (general@hadoop)

CVE-2018-11765 Potential information disclosure in Apache Hadoop Web interfaces

When Kerberos authentication is enabled and SPNEGO through HTTP is not enabled, any users can access some servlets without authentication.

  • Versions affected: 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5
  • Fixed versions: 3.0.1, 2.10.0
  • Impact: information disclosure
  • Reporter: Larry McCay (Discovered by Owen O'Malley)
  • Reported Date: 2018/03/11
  • Issue Announced: 2020/09/28 (general@hadoop)

CVE-2018-11768 Apache Hadoop HDFS FSImage Corruption

There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage.

This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix.

  • Versions affected: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4
  • Fixed versions: 3.1.2, 2.9.2, 2.8.5
  • Impact: information disclosure
  • Reporter: Ekanth Sethuramalingam
  • Reported Date: 2018/06/05
  • Issue Announced: 2019/10/03 (general@hadoop)

CVE-2018-8029 Apache Hadoop Privilege escalation vulnerability

A user who can escalate to yarn user can possibly run arbitrary commands as root user.

  • Versions affected: 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4
  • Fixed versions: 3.1.1, 2.9.2, 2.8.5
  • Impact: privilege escalation
  • Reporter: Miklos Szegedi
  • Reported Date: 2018/05/08
  • Issue Announced: 2019/05/30 (general@hadoop)

CVE-2018-11767 Apache Hadoop KMS ACL regression

After the security fix for CVE-2017-15713, KMS has an access control regression, blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms such as LdapGroupsMapping, CompositeGroupsMapping, or NullGroupsMapping.

  • Versions affected: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6
  • Fixed versions: 2.9.2, 2.8.5, 2.7.7
  • Impact: privilege escalation
  • Reporter: Wei-Chiu Chuang
  • Reported Date: 2018/05/09
  • Issue Announced: 2019/03/11 (general@hadoop)

CVE-2018-1296 Apache Hadoop HDFS Permissive listXAttr Authorization

HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. This affects features that store sensitive data in extended attributes, such as HDFS encryption secrets.

  • Versions affected: 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5
  • Fixed versions: 3.0.1, 2.9.1, 2.8.4, 2.7.6
  • Impact: information disclosure
  • Reporter: Rushabh Shah
  • Reported Date: 2018/02/09
  • Issue Announced: 2019/01/24 (general@hadoop)

CVE-2018-11766 Apache Hadoop privilege escalation vulnerability

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.

  • Versions affected: 2.7.4 to 2.7.6
  • Fixed versions: 2.7.7
  • Impact: privilege escalation
  • Reporter: Wilfred Spiegelenburg
  • Reported Date: 2018/05/04
  • Issue Announced: 2018/11/27 (general@hadoop)

CVE-2018-8009 Apache Hadoop distributed cache archive vulnerability

Vulnerability allows a cluster user to publish a public archive that can affect other files owned by the user running the YARN NodeManager daemon. If the impacted files belong to another already localized, public archive on the node then code can be injected into the jobs of other cluster users using the public archive.

  • Versions affected: 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11
  • Fixed versions: 3.1.1, 3.0.3, 2.9.2, 2.8.5, 2.7.7
  • Impact: injection attack
  • Credit: Snyk Security Research Team
  • Reported Date: 2018/04/19
  • Issue Announced: 2018/11/22 (user@hadoop)

CVE-2016-6811 Apache Hadoop Privilege escalation vulnerability

A user who can escalate to yarn user can possibly run arbitrary commands as root user.

  • Versions affected: 2.2.0 to 2.7.3
  • Fixed versions: 2.7.4 or newer
  • Impact: privilege escalation
  • Reporter: Freddie Rice
  • Reported Date: 2016/07/06
  • Issue Announced: 2018/05/01 (user@hadoop)

Note: The fix for this vulnerability is incomplete in Apache Hadoop 2.7.4 to 2.7.6 (CVE-2018-11766).

CVE-2017-15718 Apache Hadoop YARN NodeManager vulnerability

In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. The YARN NodeManager can leak the password for credential store provider used by the NodeManager to YARN Applications.

If you use the CredentialProvider feature to encrypt passwords used in NodeManager configs, it may be possible for any Container launched by that NodeManager to gain access to the encryption password. The other passwords themselves are not directly exposed.

  • Versions affected: 2.7.3, 2.7.4
  • Fixed versions: 2.7.5
  • Impact: privilege escalation
  • Reporter: Vinayakumar B.
  • Reported Date: 2017/09/18
  • Issue Announced: 2018/01/24 (user@hadoop)

CVE-2017-15713 Apache Hadoop MapReduce job history server vulnerability

Vulnerability allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.

  • Versions affected: 3.0.0-alpha to 3.0.0-beta1, 2.8.0 to 2.8.2, 2.0.0-alpha to 2.7.4, 0.23.0 to 0.23.11
  • Fixed versions: 3.0.0, 2.9.0, 2.8.3, 2.7.5
  • Impact: privilege escalation
  • Reporter: Man Yue Mo of lgtm.com
  • Reported Date: 2017/06/30
  • Issue Announced: 2018/01/19 (user@hadoop)

CVE-2017-3166 Apache Hadoop Privilege escalation vulnerability

In a cluster where the YARN user has been granted access to all HDFS encryption keys, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, e.g. via the MapReduce distributed cache, that file will be stored in a world-readable location and shared freely with any application that requests to localize that file, no matter who the application owner is or whether that user should be allowed to access files from the target encryption zone.

  • Versions affected: 3.0.0-alpha1 - 3.0.0-alpha3 , 2.7.0 to 2.7.3, 2.6.1-2.6.5
  • Fixed versions: 3.0.0-alpha4, 2.8.0, 2.7.4
  • Impact: privilege escalation
  • Reporter: Luke Herbert
  • Reported Date: 2016/11/18
  • Issue Announced: 2017/11/08 (general@hadoop)