Fixed Issues in YARN and YARN Queue Manager

Review the list of YARN and YARN Queue Manager issues that are resolved in Cloudera Runtime 7.1.9 SP1.

COMPX-16696: YARN Queue Manager - Dropwizard version upgrade to 2.1.11

Dropwizard is upgraded to version 2.1.11 from an older, vulnerable version. After upgrade, YARN Queue Manager now does not disable the replacement rules.

COMPX-16626: YARN Queue Manager - Upgrade Bouncy Castle version to 1.78 due to CVE-2024-29857, CVE-2024-30171 and CVE-2024-30172

Upgrade the Bouncy Castle version to 1.78 to fix the following vulnerabilities.

• CVE-2024-29857: Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
• CVE-2024-30171: Possible timing-based leakage in RSA-based handshakes due to exception processing eliminated.
• CVE-2024-30172: A crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.

COMPX-16386: CDPD - Upgrade Spring Security version to 5.7.12/5.8.11/6.1.8/6.2.3 due to CVE-2023-34042 and CVE-2024-22257

Upgrade the Spring Security version to 5.7.12/5.8.11/6.1.8/6.2.3 to fix the following vulnerabilities.

• CVE-2023-34042: The `spring-security.xsd` file inside the `spring-security-config` JAR file is world-writable. If extracted, it could be written by anyone with access to the file system. While there are no known exploits currently, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could potentially result in an exploit.You should update to the latest version of Spring Security to mitigate any future risks associated with this issue.
• CVE-2024-22257: In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, 6.0.x prior to 6.0.9, 6.1.x prior to 6.1.8, and 6.2.x prior to 6.2.3, an application is potentially vulnerable to broken access control when it directly uses the `AuthenticatedVoter#vote` method with a null `Authentication` parameter.

COMPX-11626: Improved management of HDFS delegation tokens in YARN

YARN now efficiently manages HDFS delegation tokens before log aggregation attempts to write logs to HDFS. Tokens are iterated through and renewed as necessary. If renewal fails and a token expires, it is promptly removed from the credentials, ensuring smoother operation of log aggregation processes.

COMPX-11263: Inconsistent display of updated configuration values in YARN Queue Manager UI

The YARN Queue Manager UI intermittently displayed old configuration values after updates. This issue has been fixed, and the UI now reliably shows only the new values entered by the user immediately after an update.

CDPD-66169: Apache Hadoop - Upgrade of bcpkix-jdk15on library version to address CVE-2019-17359

The bcpkix-jdk15on library has been upgraded to version 1.70 in Hadoop to address the security vulnerability identified in CVE-2019-17359.

CDPD-60630: Knox redirecting YARN Node Manager URLs to HTTP instead of HTTPS

The YARN service definition is modified to remove the hard-coded HTTP scheme from its URL rewrite rules. This change ensures compatibility with proxying YARN whether it is deployed with or without TLS, resolving the issue of Knox redirecting YARN Node Manager URLs to HTTP instead of HTTPS.