June 26, 2026 - Hotfix

Review the fixed issues in this hotfix release of Cloudera Data Warehouse on cloud

What's new in Cloudera Data Warehouse on cloud

Review the new features introduced in this hotfix release of Cloudera Data Warehouse service on Cloudera on cloud, supported by version 1.12.5-b291 of the service layer and runtime version 2025.0.21.3-3.

What's new in Cloudera Data Warehouse on cloud

Access third-party licenses through the Cloudera documentation portal: To improve accessibility and reduce package sizes, the Cloudera Data Warehouse third-party license files are now hosted directly on the Cloudera documentation portal, instead of being bundled within the product.

Fixed issues

Review the fixed issues in the latest Cloudera Data Warehouse on cloud, supported by version 1.12.5-b291 of the service layer and runtime version 2025.0.21.3-3.

Fixed issues in Cloudera Data Warehouse

DWX-23671: Mixed-case usernames cause Ranger authorization failures: Previously, logging into a Hive or Impala Virtual Warehouse using mixed-case characters such as Hrt_21 would result in an AuthorizationException and cause queries to be denied if the corresponding Ranger policy was defined entirely in lowercase such as hrt_21.; This issue is now fixed. Ranger policies are evaluated case-insensitively, ensuring that usernames match lowercase policies across both Hive and Impala Virtual Warehouses.

CDPD-105038: Ranger authorization failures due to untransformed user and group names: Previously, when Ranger Usersync was configured with case conversion and special character replacement using regular expressions, it transformed the original user or group names from sources such as Active Directory or LDAP before storing them in the Ranger Admin database. If a Ranger plugin used the original, untransformed name during authorization checks, the check failed because Ranger Admin only recognized the transformed name.; This issue is now fixed. A new configurable property is introduced at the plugin level, ranger.plugin.<serviceType>.supports.name.transformation, allowing administrators to enable or disable name transformation based on deployment requirements. This property should be extended within the ranger-<serviceType>-security.xml configuration file for the respective service.

Fixed issues in Hive on Cloudera Data Warehouse

CDPD-106438: Potential vulnerability in HiveMetastore partition name direct SQL paths: Previously, a potential security vulnerability existed in the Hive Metastore where client-supplied partition names were embedded into SQL queries by using string concatenation instead of bind parameters.; This issue is now resolved by improving the robustness of the metastore direct SQL partition lookups to ensure parameters are handled securely.
CDPD-105894: SAML bearer token authentication bypass: Previously, an unauthorized attacker could bypass authentication and impersonate any user when SAML browser profile authentication was enabled for Hive HTTP ports. This occurred because the bearer token signature was not verified.; This issue is now resolved by ensuring that the bearer token signature is properly validated during the authentication process.
Apache Jira: HIVE-29653

Fixed issues in Cloudera Data Explorer (Hue) on Cloudera Data Warehouse

CDPD-104785: Arbitrary file read on Data Explorer hosts through the localfile importer feature: Previously, a local file inclusion vulnerability existed on the Data Explorer host type through the localfile importer feature. This occurred because two indexer API endpoints accepted unvalidated paths, allowing unauthorized file reads through the path parameter. This issue is now fixed.

Fixed issues in Impala on Cloudera Data Warehouse

CDPD-102537: Catalogd deadlock during startup: The issue was addressed by preventing a potential deadlock in Catalogd that could occur during startup under heavy load, such as when Catalogd is restarted after being OOMKilled by kubernetes.
Apache Jira: IMPALA-14949
CDPD-102654/DWX-23400: Impala Iceberg delete statements stop responding when the tuple cache is enabled: Previously, when you ran a DELETE statement on an Iceberg table, the Impala query could stop responding and remain in a running state.; This issue is addressed by fixing a logic error in the tuple cache.
Apache Jira: IMPALA-14951
CDPD-106024: Impala: SAML bearer token authentication is bypassed Patch Available: Previously, an unauthorized attacker could bypass authentication and impersonate any user when SAML browser profile authentication was enabled for Impala HTTP ports. This occurred because the bearer token signature was not verified.; This issue is now resolved by ensuring that the bearer token signature is properly validated during the authentication process.
Apache Jira: CDPD-106024

Fixed issues in Iceberg on Cloudera Data Warehouse

There are no fixed issues in this release.

Fixed issues in Trino on Cloudera Data Warehouse

There are no fixed issues in this release.

Known issues

Review the known issues in the latest Cloudera Data Warehouse on cloud, supported by version 1.12.5-b291 of the service layer and runtime version 2025.0.21.3-3.

Known issues in Cloudera Data Warehouse

DWX-23907: Trino is unable to read from ABFS on Azure environments: Trino queries fail intermittently when reading data from Azure Blob File System (ABFS) storage, returning Error opening split, Azure service error reading file or Azure service error fetching properties for file errors due to an Azure token throttling issue in the Trino runtime.; None

Known issues in Iceberg

CDPD-100780: Materialized view rebuild fails for Iceberg tables due to locking issue: Materialized view rebuild operations on Iceberg tables fails during execution with a compilation error. As a result, subsequent rebuild attempts fail because an existing entry remains in the MATERIALIZATION_REBUILD_LOCKS table, preventing new rebuild operations from proceeding.
This issue occurs due to a Hive limitation during materialized view rebuild, where the rebuild process fails but leaves behind a stale lock entry.; Drop and re-create materialized views instead of rebuilds. Instead of alter materialized view mat1 rebuild;, use the following command:
drop materialized view mat1; create materialized view mat1 stored by iceberg stored as orc tblproperties ('format-version'='1') as select tbl_ice.b, tbl_ice.c from tbl_ice where tbl_ice.c > 52;
Apache Jira: HIVE-29436
CDPD-101214: Semantic error in MERGE statements when using backticks with restricted keywords as column names: Hive fails to execute MERGE statements when you use backticks with restricted keywords as column names. The query displays a SemanticException during parsing, preventing successful execution of the MERGE operation.; Avoid using restricted keywords as column names, even when enclosed in backticks.
CDPD-101742: Hive Iceberg snapshot expiration fails for ORC LZ4/LZO tables: Hive fails to execute queries on Iceberg tables stored in ORC format with LZ4 or LZO compression when LLAP cache is enabled. The failure occurs with OWN_TASK_FAILURE and vertex failures due to an UnsupportedOperationException during ORC decompression. The snapshot expiration functionality itself works as expected and is not impacted.; For Iceberg tables, disable vectorization by setting hive.vectorized.execution.enabled=false.