Fixed Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures (CVE) that are addressed in this release.
CVE-2018-11770
Component: Spark
Summary: Update Rest Server docs defaults.
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.4.0
Users Affected: Users who use Apache Spark.
Impact: See BUG-120486 and SPARK-25088. From version 1.3.0, Apache Spark's standalone master exposes a REST API for job submission. However, the REST API does not use any authentication mechanism, and this is not adequately documented.
Recommended Action: Upgrade to HDP 3.1.4+
CVE-2016-5017
Component: ZooKeeper
Summary: Buffer overflow in the C CLI shell in Apache Zookeeper.
Severity: Low
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.4.0
Users Affected: Users who use Apache ZooKeeper with C client.
Impact: See BUG-120252 and ZOOKEEPER-2498. Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
Recommended Action: Upgrade to HDP 3.1.4+
CVE-2017-5637
Component: ZooKeeper
Summary: Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused.
Severity: Low
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.4.0
Users Affected: Users who use Apache ZooKeeper in public infrastructure.
Impact: See BUG-120252 and ZOOKEEPER-2693. Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused.
Recommended Action: Upgrade to HDP 3.1.4+
CVE-2018-8012
Component: ZooKeeper
Summary: No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.4.0
Users Affected: Users who use Apache ZooKeeper.
Impact: See BUG-120252 and ZOOKEEPER-1045, ZOOKEEPER-2726. No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper.
Recommended Action: Upgrade to HDP 3.1.4+
CVE-2019-0201
Component: ZooKeeper
Summary: ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.4.0
Users Affected: Users who use Apache ZooKeeper.
Impact: See BUG-120252 and ZOOKEEPER-1392. ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string.
Recommended Action: Upgrade to HDP 3.1.4+