Known Issues in Apache Zeppelin
Learn about the known issues in Zeppelin, the impact or changes to the functionality, and the workaround.
- TSB 2024-650: Arbitrary file deletion vulnerability in Apache Zeppelin
- The improper Input Validation vulnerability in Apache Zeppelin allows an attacker to delete arbitrary files. Using a successful cross-site scripting attack by accessing the logs through API:
The logs folder can be deleted from the directory where the current project is located. If the API is changed to/api/interpreter/setting/..%2Flogs/api/interpreter/setting/..%2F..%2Fzeppelinthe following setting, the entire Zeppelin application directory can be deleted. The Zeppelin application directory contains every configuration file, Zeppelin main program files, and so on, which are crucial for the proper operations of Zeppelin. - BUG-125263: Zeppelin service move fails on clusters upgraded from HDP3.1.5
- Resolve the circular symlink issue on the Zeppelin node by
linking the conf directory to a new directory under /etc/zeppelin:
- # mkdir -p /etc/zeppelin/<version>/0
- # rm /usr/hdp/<version>/zeppelin/conf
- # ln -s /etc/zeppelin/<version>/0 /usr/hdp/<version>/zeppelin/conf
- CDPD-3090: Due to a configuration typo, functionality involving notebook repositories does not work
- Due to a missing closing brace, access to the notebook repositories API is blocked by default.
- CDPD-2406: Logout button does not work
- Clicking the Logout button in the Zeppelin UI logs you out, but then immediately logs you back in using SSO.
- OPSAPS-59802: Zeppelin and Livy roles should be co-located on the same host.
- When installing or upgrading to CDP Private Cloud Base, you must co-locate all Zeppelin and Livy roles on the same cluster host due to an issue with certificate generation.
