Fixed issues in 7.1.9 CHF 3

Know more about the cumulative hotfixes 3 for 7.1.9. This cumulative hotfix was released on February 23, 2024.

Following are the list of fixes that were shipped for CDP Private Cloud Base version 7.1.9-1.cdh7.1.9.p4.50495721

  • KT-7508: Keytrustee-keyhsm - Upgrade Bouncy Castle to 1.74 due to CVE-2023-33202 and CVE-2023-33201
  • KT-7506: [FIPS+JDK11] KeyTrustee Server fails with openssl command error on outputting keys and certificates
  • COMPX-15869: [7.1.7 SP3, 7.1.9 CHF3, 7.2.19] - Queue Manager: Upgrade Okio to 3.4.0 due to CVE-2023-3635
  • COMPX-15833: Use centralized jackson version in QueueManager
  • COMPX-15798: Backport YARN-11630 (Passing admin Java options to container localizers)
  • COMPX-15737: QM - Upgrade Bouncy Castle to 1.74 due to CVE-2023-33202 and CVE-2023-33201
  • COMPX-15347: QM - Upgrade Plexus-utils to 3.3.1+ due to CVE-2022-4244 and CVE-2022-4245
  • COMPX-15205: QM - Upgrade wiremock-jre8 to 2.35.1 due to CVE-2023-41327 and CVE-2023-41329
  • COMPX-15161: Conversion from absolute to relative mode fails for low memory values
  • COMPX-14794: CPX - Upgrade moment.js to 2.29.4 due to CVE-2022-24785, CVE-2022-31129
  • COMPX-11123: Queue Manager - Upgrade Commons IO to 2.11.0/20030203.000550 due to medium CVEs
  • COMPX-7242: Fix failing unit tests: org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.TestContinuousScheduling
  • COMPX-7241: Fix failing unit test: org.apache.hadoop.yarn.client.api.impl.TestAMRMProxy.testAMRMProxyTokenRenewal
  • COMPX-6271: Fix failing unit test: org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodesScaling.testClusterScalingInfoJson
  • COMPX-6254: Fix failing unit tests: org.apache.hadoop.yarn.client.api.impl.TestNMClient
  • CDPD-66138: [7.1.9] Fix ranger kafka plugin junit test failures
  • CDPD-65548: Multi-master config fails with check failed
  • CDPD-65493: #1396168-P1-hue-7.3.0.0-107 Build Error
  • CDPD-65475: Backport 'Too many "Failed to accept allocation proposal" because of wrong Headroom check for DRF' to CDH-7.1.9.x
  • CDPD-65397: [AUTOSYNC] UNHEALTHY replicas of QUASI_CLOSED container with unique origins should be handled during decommission
  • CDPD-65341: [AUTOSYNC] Snapshot read calls are failing due to SnapshotCache's inconsistency
  • CDPD-65316: Backport HIVE-27919 to CDH-7.1.9.x
  • CDPD-65315: Backport HIVE-27658 to CDH-7.1.9.x
  • CDPD-65292: [7.1.9.CHFx]Atlas UI: Change the alignment of the Download Search button on the Classic UI search page.
  • CDPD-65284: Parcel impala-shell won't work with Python 3.8 on SLES 15
  • CDPD-65279: Phoenix - Upgrade Bouncy Castle to 1.70 due to medium CVEs
  • CDPD-65277: Backport IMPALA-12595 to 7.1.9CHF3
  • CDPD-65256: Backport TEZ-3972 to CDH-7.1.9.x
  • CDPD-65243: Backport IMPALA-12683 to 7.1.9 CHF
  • CDPD-65206: Backport IMPALA-12577 to 7.1.9 CHF
  • CDPD-65169: [AUTOSYNC] Add number of datanodes, total capacity/used space to SCMNodeMetrics
  • CDPD-65159: [AUTOSYNC] Snapshot: 'ozone fs -ls' on '.snapshot' dir of a bucket should list only active snapshots
  • CDPD-65049: HTTP security headers are missing from Oozie response
  • CDPD-65048: Backport HIVE-26208 to CDH-7.1.9.x
  • CDPD-65043: Livy - [7.1.9 CHFx] Upgrade datatables to 1.10.23+ due to CVE-2020-28458
  • CDPD-65039: Backport HDDS-8822. [S3G] Improve list performance in LEGACY bucket
  • CDPD-65038: Backport HDDS-8011. IllegalArgumentException logged for invalid user-defined metadata
  • CDPD-65036: Backport HDDS-9627. Reset RaftPeer priorities after transfer leadership
  • CDPD-65035: Backport HDDS-9314. create-bucket on an existing bucket for s3g does not fail
  • CDPD-65032: Backport HDDS-9708. Fix unit tests to reuse DispatcherContext
  • CDPD-65031: Backport HDDS-9697 ContainerStateMachine.applyTransaction(..) should not validate token again
  • CDPD-65013: CDPD - Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750
  • CDPD-65012: Upgrade Apache Shiro to 1.13.0 due to CVE-2023-46750
  • CDPD-65003: Centralize missing dependencies of Zeppelin to CDPD
  • CDPD-64948: Temprary fix compile error from HDDS-9709
  • CDPD-64919: Backport HIVE-24858 to CDH-7.1.9.x
  • CDPD-64905: Backport IMPALA-12589 to active branches
  • CDPD-64800: Classic UI - Security zone form not populate resources value properly while creating and editing zone form.
  • CDPD-64798: [7.2.18.0 & 7.1.9 CHF3] - Keep the LDAP usersync details popup names same as the backbone js names
  • CDPD-64747: Use centralized gson version in Zeppelin
  • CDPD-64736: [7.2.18.0 & 7.1.9 CHF3] Fix to use correct service for resource lookup API in security zone
  • CDPD-64734: Use centralized nimbus-jose-jwt version in Cruise Control
  • CDPD-64726: 71x backport - Slowness / broadcast timeout issues due to SPARK-33290: REFRESH TABLE should invalidate cache even though the table itself may not be cached (Spark 2.4.8)
  • CDPD-64720: Replace PHOENIX-6721 with the upstream version.
  • CDPD-64707: hue build failure in centos7
  • CDPD-64665: [MANUAL SYNC] Refine certificate renewer service to avoid it scheduled ahead of time
  • CDPD-64648: Backport the versionless bigtop-new gerrits into 7.1.8 and 7.1.9
  • CDPD-64627: [7.1.x]- Ranger - Upgrade Apache Derby to 10.17.1.0 due to CVE-2022-46337
  • CDPD-64584: [7.1.9 CHF3] Upgrade Tomcat to 8.5.96 (for CVE fixes) in all Ranger services
  • CDPD-64580: Allow ozone admin container info to list multiple containers
  • CDPD-64566: Backport PHOENIX-7148 Use getColumnLabel Instead of getColumnName in QueryServerBasicsIT
  • CDPD-64562: [AUTOSYNC] Decommission: Admin monitor should call RM.checkContainerState to check for under-replication
  • CDPD-64550: Backport PHOENIX-7143 Detect JVM version and add the necessary flags in PQS startup script (phoenix query server repo)
  • CDPD-64539: Postpone CM configuration change monitoring until the Knox GW is up&running
  • CDPD-64527: Unable to place replicas using range aware logic with multiple locations
  • CDPD-64517: Kafka connect S3 connector failing with AWS error
  • CDPD-64480: Set name field with qualifiedName for impala_process and impala_process_execution
  • CDPD-64478: Optimize Relationship Edge fetch
  • CDPD-64450: Backport PHOENIX-7143 Detect JVM version and add the necessary flags in PQS startup script (phoenix repo)
  • CDPD-64449: Backport the JVM module options from branch-2.4 HEAD
  • CDPD-64444: HWC Full GC : Stack Overflow Error fails cdh-7.1.9.x builds
  • CDPD-64427: LDAP group import/sync fails for "memberUid"
  • CDPD-64425: [FIPS+JDK11] Intermittent Kafka connection issues during installation
  • CDPD-64419: OM nodes went down due to OOM, possible memory leak
  • CDPD-64398: [AUTOSYNC] OM/DN startup failure with non-HA SCM for secret manager not initialized
  • CDPD-64376: Oozie's Spark and Spark3 option parser does not respect Java arguments starting with '--'
  • CDPD-64372: OzoneManager - isDBUpdateSuccess flag not being set at OM client causes incorrect behaviour at Recon and failed to Recover in case of rocksDB exception
  • CDPD-64364: OM/DN startup failure with non-HA SCM for secret manager not initialized
  • CDPD-64347: Extend Java opts for Livy to support JDK17 + Isilon
  • CDPD-64335: Zeppelin - Upgrade Bouncy Castle to 1.74 due to CVE-2023-33202 and CVE-2023-33201
  • CDPD-64302: Remove Derby dependency in Solr.
  • CDPD-64281: Backport HIVE-26802: Create qtest running QB compaction queries for ACID, insert-only and clustered tables
  • CDPD-64272: Atlas [7.1.9 CHFx] - Upgrade reactor-netty to 1.0.39/1.1.13 due to CVE-2023-34062
  • CDPD-64243: Backport HIVE-27643: Exclude compaction queries from ranger policies
  • CDPD-64229: Impala - Upgrade Apache Derby to 10.17.1.0 due to CVE-2022-46337
  • CDPD-64225: Sqoop - Upgrade Apache Derby to 10.17.1.0 due to CVE-2022-46337
  • CDPD-64192: [7.1.9] - Atlas Server side Ignore and Prune patterns doesn't work
  • CDPD-64184: Ozone resource lookup is not working due to "Service ID specified does not match with ozone.om.service.ids defined in the configuration."
  • CDPD-64159: [7.1.9.x] - Ranger policy delta issue causing intermittent permission deny for Hive and HDFS services
  • CDPD-64129: Backport HIVE-25684 to CDH-7.1.9.x
  • CDPD-64123: Schema Registry - Upgrade Netty Project to 4.1.100.Final due to CVE-2023-44487
  • CDPD-64122: CDPD - Upgrade aws-java-sdk-bundle to 1.12.599 due to CVE-2023-44487
  • CDPD-64115: Impala build failure for 7.1.9.1
  • CDPD-64114: Atlas - Upgrade reactor-netty to 1.0.39/1.1.13 due to CVE-2023-34062 and CVE-2023-34054
  • CDPD-64040: Remove the CDP versions from Spark 2 deprecation message
  • CDPD-64037: [7.1.9 CHF3] - "Select All permissions for all components." checkbox missing in tag based policy permission popup
  • CDPD-64032: [7.1.9.CHFx] Atlas UI Basic Searching result sorting option not available on all Columns.
  • CDPD-64019: [AUTOSYNC] Provide a flag to skip the native_rocksdb_tool loading
  • CDPD-64007: Backport HIVE-27885 on CDP branches
  • CDPD-64000: [AUTOSYNC] Datanode Write performance degradation
  • CDPD-63962: [AUTOSYNC] Over Replication Check of all UNHEALTHY replicas is broken
  • CDPD-63956: [AUTOSYNC] SCM's FinalizationStateManager#finalizeLayoutFeature Ratis call should be idempotent
  • CDPD-63947: [AUTOSYNC] Disable rocksDB cache for snapshot
  • CDPD-63915: Sqoop Teradata export fails if source table is empty
  • CDPD-63874: Changing the Ozone service Id makes the cluster[OM] state irrecoverable
  • CDPD-63849: [AUTOSYNC] Legacy Replication Manager should consider that UNHEALTHY replicas might be decommissioning
  • CDPD-63841: [AUTOSYNC] OM fails with Snapshot chain corruption during SnapshotPurge
  • CDPD-63839: [AUTOSYNC] Incorrect sorting order in RatisOverReplicationHandler
  • CDPD-63837: [AUTOSYNC] Infinite loop in ReconUtils.nextClosestPowerIndexOfTwo()
  • CDPD-63835: Backport HIVE-27679 on all CDP-PvC 7.1.[7-9] CHFx versions
  • CDPD-63804: [AUTOSYNC] SCM WebUI incorrectly renders DN links
  • CDPD-63783: [AUTOSYNC] Provide API to check a container via Replication Manager
  • CDPD-63734: [AUTOSYNC] NO_REPLICA_FOUND should trigger a OM pipeline cache refresh
  • CDPD-63733: [AUTOSYNC] Missing snapshot entries list Snapshot under a bucket API
  • CDPD-63724: Add spark-sql-kafka to Oozie Spark/Spark3 share libs
  • CDPD-63723: Sqoop should determine files as Parquet by PAR1 in header
  • CDPD-63692: In Rms- s3, db level access write permission mapping config is not working
  • CDPD-63623: [UnitTest] Some Oozie units are failing due to HCat related NPE
  • CDPD-63606: Datanodes do not Retry Pipeline Close Commands for SCM
  • CDPD-63600: HDFS Authorizer changes to take advantage of support for multiple access-types in the Ranger Access Request (RANGER-4007)
  • CDPD-63588: Do not show empty containers as missing in Recon UI
  • CDPD-63574: disableLoadBalancingForUserAgents cannot be set
  • CDPD-63571: TestIcebergTable.test_hive_external_forbidden fails on 7.1.9 builds
  • CDPD-63570: TestIcebergTable.test_iceberg_negative fails on 7.1.9 builds
  • CDPD-63553: [AUTOSYNC] Containers belonging to out of service nodes, are counted as mis-replicated
  • CDPD-63527: [AUTOSYNC] Read from non-datanode host does not consider topology
  • CDPD-63523: [AUTOSYNC] Topology level is not set in datanode object for distance calculation
  • CDPD-63440: CLONE - UI: Enum type Business metadata attribute shows incorrect data when specific string is in attribute name.
  • CDPD-63371: [AUTOSYNC] Parallel loading datanode volume db store
  • CDPD-63326: Fix CVE-2023-36877 Apache Oozie Spoofing Vulnerability
  • CDPD-63291: Search - Upgrade amqp-client to 5.18.0+ due to CVE-2023-46120
  • CDPD-63287: Solr - Upgrade jose4j to 0.9.3 due to CVE-2023-31582
  • CDPD-63286: Upgrade jose4j to 0.9.3 due to CVE-2023-31582
  • CDPD-63276: [AUTOSYNC] Overwrite file by multipart upload, saving wrong ReplicationConfig in KeyInfo
  • CDPD-63124: Newly added Kudu master couldn't start on custom kerberos cluster
  • CDPD-63118: [AUTOSYNC] Replication Manager: Save UNHEALTHY replicas with highest BCSID for a QUASI_CLOSED container
  • CDPD-63117: [AUTOSYNC] Replication Manager: Do not count unique origin nodes as over-replicated
  • CDPD-63116: [AUTOSYNC] Make the number of containers logged configurable in DatanodeAdminMonitorImpl
  • CDPD-63030: [AUTOSYNC] Snapshot diff job failed due to Metrics source OmSnapshotMetrics already exists
  • CDPD-62943: [AUTOSYNC] NPE in OMDBCheckpointServlet with ozone.om.ratis.enable=false
  • CDPD-62942: [AUTOSYNC] Fix possible deadlock during shutdown in OzoneDelegationTokenSecretManager
  • CDPD-62881: [AUTOSYNC] Recon - NPE in handling deleteKey event in NSSummaryFSO task
  • CDPD-62826: [AUTOSYNC] Two S3G instances writing the same key may cause data loss in case of an exception.
  • CDPD-62719: Datanode should not need to download existing container
  • CDPD-62540: [AUTOSYNC] Pipeline close doesn't wait for containers to be closed
  • CDPD-62464: Java process called by nav2atlas.sh tool fails on JDK8
  • CDPD-62436: [AUTOSYNC] S3 default GRPC transport doesn't utilize enough parallelism on OM server-side
  • CDPD-62429: [AUTOSYNC] TypedTable prefix iterator may leak CodecBuffer
  • CDPD-62276: [AUTOSYNC] 'java.lang.UnsatisfiedLinkError' when trying to read RocksDB with 'ozone debug ldb'
  • CDPD-62095: Backport HIVE-27525 to CDP
  • CDPD-61962: [AUTOSYNC] Reduce the number of system calls when DN writes a key
  • CDPD-61913: [AUTOSYNC] Avoid copying ByteString in ByteStringCodec
  • CDPD-61754: Unknown container from datanode in Recon
  • CDPD-61742: Test failure: org.apache.spark.sql.hive.execution.HiveTableScanSuite.Spark-4077: timestamp query for null value
  • CDPD-61692: [AUTOSYNC] ReplicationManager: Ignore any Datanodes that are not in-service and healthy when finding unique origins
  • CDPD-61659: [7.1.9 CHF3] Options for permissions pop up for knox policies are not the same in Backbone UI and React JS
  • CDPD-61626: [7.1.9 CHF3] - Keep the usersync details popup names same as the backbone js names
  • CDPD-61539: [AUTOSYNC] Better datanode exclude list handling for long-lived clients
  • CDPD-61492: [AUTOSYNC] Fix comparison logic for SCMContainerPlacementCapacity.
  • CDPD-61425: [AUTOSYNC] Speed up TestStorageContainerManagerHA
  • CDPD-61336: Canary build failing with upstream Ozone master branch
  • CDPD-61251: Zookeeper - Upgrade jackson-databind to 2.13.4.1+ due to CVE-2022-42003, CVE-2022-42004
  • CDPD-61068: [AUTOSYNC] Write performance degradation
  • CDPD-60989: Upgrade Ozone upstream version for 7.1.9 release
  • CDPD-60892: [AUTOSYNC] [FSO] S3A compatibility - dfs -put creates dir and a file
  • CDPD-60882: [AUTOSYNC] Poor S3G read performance
  • CDPD-60664: [AUTOSYNC] Snapshot Bootstrap creates incorrect hard links.
  • CDPD-60592: [AUTOSYNC] OzoneManager: NPE on ACLs check in case of multipart upload to EC-bucket
  • CDPD-60367: [AUTOSYNC] Invalidate snapshot cache once snapshot gets purged
  • CDPD-60242: [AUTOSYNC] [Hsync] moves blocks to deleted table on final commit
  • CDPD-60126: [AUTOSYNC] Potential data loss with HSync due to deletedTable entry having the same block as keyTable entry's
  • CDPD-60070: [AUTOSYNC] Use sequence ID for certificate serial ID
  • CDPD-59781: [AUTOSYNC] Bucket replication type is ignored when uploading files via S3G
  • CDPD-59477: [AUTOSYNC] CreateFile is not setting isFile flag in OmKeyInfo
  • CDPD-59286: [AUTOSYNC] Reduce time of compaction pause during bootstrapping
  • CDPD-59157: [ozone-cert-rotation] cert clean is unable to cleanup certificates LOCK error
  • CDPD-58638: [AUTOSYNC] Ratis crash if a lot of directories deleted at once
  • CDPD-58116: [AUTOSYNC] Ozone is supporting unicode volume and bucket names, potentially unintentionally
  • CDPD-58047: Backport HIVE-23726 to CDP branches
  • CDPD-57788: [AUTOSYNC] Snapdiff should read only keys with the bucket prefix
  • CDPD-54981: [AUTOSYNC] [FSO] S3A compatibility - dfs -mkdir creates a zero byte file instead of a directory
  • CDPD-52277: OM shutdown when creating key with malformed characters
  • CDPD-52135: Error message is confusing when client fails to upload a key
  • CDPD-51815: Fix the regex for key name validation
  • CDPD-51329: Optimize block write path performance by reducing no of watchForCommit calls
  • CDPD-48162: Getting exception for wildcard (*) search for database and table name
  • CDPD-47138: distcp on OFS path failing with ClassNotFoundException when build is created using upstream ozone
Common Vulnerabilities and Exposures (CVE) that is fixed in this CHF:
  • CVE-2023-39196
  • CVE-2023-31582
  • CVE-2020-28458
  • CVE-2021-23445
  • CVE-2023-34054
  • CVE-2023-34062
  • CVE-2023-46749
  • CVE-2023-46750
  • CVE-2023-41329
  • CVE-2023-41327