HDP 3.1.4 Release Notes
Also available as:
PDF

Fixed Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) that are addressed in this release.

CVE-2018-11770

Component: Spark

Summary: Update Rest Server docs defaults.

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP versions before 3.1.4.0

Users Affected: Users who use Apache Spark.

Impact: See BUG-120486 and SPARK-25088. From version 1.3.0, Apache Spark's standalone master exposes a REST API for job submission. However, the REST API does not use any authentication mechanism, and this is not adequately documented.

Recommended Action: Upgrade to HDP 3.1.4+

CVE-2016-5017

Component: ZooKeeper

Summary: Buffer overflow in the C CLI shell in Apache Zookeeper.

Severity: Low

Vendor: Hortonworks

Versions Affected: HDP versions before 3.1.4.0

Users Affected: Users who use Apache ZooKeeper with C client.

Impact: See BUG-120252 and ZOOKEEPER-2498. Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.

Recommended Action: Upgrade to HDP 3.1.4+

CVE-2017-5637

Component: ZooKeeper

Summary: Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused.

Severity: Low

Vendor: Hortonworks

Versions Affected: HDP versions before 3.1.4.0

Users Affected: Users who use Apache ZooKeeper in public infrastructure.

Impact: See BUG-120252 and ZOOKEEPER-2693. Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused.

Recommended Action: Upgrade to HDP 3.1.4+

CVE-2018-8012

Component: ZooKeeper

Summary: No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP versions before 3.1.4.0

Users Affected: Users who use Apache ZooKeeper.

Impact: See BUG-120252 and ZOOKEEPER-1045, ZOOKEEPER-2726. No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper.

Recommended Action: Upgrade to HDP 3.1.4+

CVE-2019-0201

Component: ZooKeeper

Summary: ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP versions before 3.1.4.0

Users Affected: Users who use Apache ZooKeeper.

Impact: See BUG-120252 and ZOOKEEPER-1392. ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string.

Recommended Action: Upgrade to HDP 3.1.4+