Cloudera Docs

Fixed Issues in Cloudera Search

Review the list of Cloudera Search issues that are resolved in Cloudera Runtime 7.1.7.

CDPD-18099: Solr upgrade does not handle aliases.json
In earlier releases, the solr-upgrade.sh script did not handle the aliases.json file correctly, therefore you had to recreate aliases after an upgrade. You no longer need to manually recreate aliases on an upgraded cluster, provided that you perform the upgrade using Cloudera Manager version 7.4.2 or higher.
OPSAPS-59115: Creating a config on Local File System does not work on upgraded clusters

If you performed an upgrade using Cloudera Manager version 7.4.2 or earlier, it was possible that the localFSTemplate was not uploaded to ZooKeeper. In this case the solrctl config --create newconfig localFSTemplate call did not work. You no longer face this issue if you perform the upgrade using Cloudera Manager version 7.4.3 or higher.

Technical Service Bulletins

TSB 2021-495: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections
For the latest update on this issue see the corresponding Knowledge article: TSB 2021-495: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections - CVE-2021-29943
TSB 2021-497: CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler
For the latest update on this issue see the corresponding Knowledge article: TSB 2021-497: CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler
TSB-847: CVE-2025-30065 Apache Parquet vulnerability
On April 1, 2025, a critical vulnerability in the parquet-avro module of Apache Parquet (CVE-2025-30065, CVSS score 10.0) was announced.

Remediation for affected versions

The Cloudera Search release patched through the CDP updates for the public cloud and private cloud base.

Vulnerability details

Exploiting this vulnerability is only possible by modifying the accepted schema used for translating Parquet files and subsequently submitting a specifically crafted malicious file.

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Attackers may be able to modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.

Deserialization vulnerabilities most commonly lead to undefined behavior, such as memory modification or remote code execution.

Action required - Mitigation for affected Cloudera products:

Until the upgrade with Apache Parquet 1.15.1 or higher is available:
  1. Utilize a File Integrity Monitoring (FIM) solution. This allows administrators to monitor files at the filesystem level and receive alerts on any unexpected or suspicious activity in the schema configuration.
  2. Monitor network activity for any transmission of Parquet files, and alert on any unexpected activity.
  3. Be cautious with Parquet files from unknown or untrusted sources. If possible, do not process files with uncertain origin or that came from outside the organization.
  4. Ensure that only authorized users have access to endpoints that ingest Parquet files.

For the latest update on this issue see the corresponding Knowledge Article: TSB 2025-847: Critical Apache Parquet vulnerability CVE-2025-30065