HDP 3.1.5 Release Notes
Also available as:
PDF

Fixed Common Vulnerabilities and Exposures

There are no Common Vulnerabilities and Exposures (CVE) that is fixed in this release.

CVE-2018-11768

Component: Apache Hadoop Common/HDFS

Summary: The user/group information can be corrupted across storing in fsimage and reading back from fsimage.

Severity: Critical

Vendor: Cloudera

Versions Affected: HDP 3.x

Users Affected: Users using HDFS in HDP 3.1.4.0 or earlier.

Impact: There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage.

Recommended Action: Upgrade to HDP 3.1.5.0 or later.

CVE-2018-11779

Component: Apache Storm

Summary: Storm UI daemon vulnerability.

Severity: Critical

Vendor: Cloudera

Versions Affected: HDP 3.0.x, HDP 3.1.x

Users Affected: User using the storm-kafka-client or storm-kafka modules.

Impact: See STORM-3201. It is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.

Recommended Action: Upgrade to HDP 3.1.5.0 or later.