Fixed Issues in Iceberg

Cloudera Runtime 7.1.9 SP2 resolves identified Iceberg functional errors and includes technical patches to improve service stability and performance.

CDPD-100133, CDPD-97494: Upgrade avro to 1.11.5 or 1.12.1 due to CVE-2025-33042

Due to CVE-2025-33042, improper control of code generation in the Apache Avro Java SDK allows code injection when generating specific records from untrusted Avro schemas in versions up to 1.11.4 and 1.12.0.

To avoid this CVE, the Avro library is upgraded to version 1.11.5 or 1.12.1.

CDPD-99389: Upgrade Apache Parquet to 1.15.2 due to CVE-2025-46762

Due to CVE-2025-46762, schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and earlier versions allows arbitrary code execution when using untrusted packages. Although version 1.15.1 introduced restrictions, default trusted package settings still allow execution of malicious classes when using specific or reflect models.

To avoid this CVE, Apache Parquet is upgraded to version 1.15.2.

CDPD-64337: Upgrade Bouncy Castle to 1.78 due to CVE-2023-33202, CVE-2023-33201, CVE-2024-29857, CVE-2024-30171, and CVE-2024-30172

Due to CVE-2023-33202, CVE-2023-33201, CVE-2024-29857, CVE-2024-30171, and CVE-2024-30172, earlier versions of Bouncy Castle are affected by vulnerabilities including denial of service during PEM parsing, LDAP injection during certificate validation, high CPU usage from crafted EC parameters, timing-based leakage in RSA handshakes, and infinite loop conditions in Ed25519 verification.

To avoid these CVEs, Bouncy Castle is upgraded to version 1.78.