Issues Fixed in CDH 5.16.x

Issues Fixed in CDH 5.16.2

XSS Cloudera Manager

Malicious Impala queries can result in Cross Site Scripting (XSS) when viewed in Cloudera Manager.

Products affected: Apache Impala

Releases affected:
  • Cloudera Manager 5.13.x, 5.14.x, 5.15.1, 5.15.2, 5.16.1
  • Cloudera Manager 6.0.0, 6.0.1, 6.1.0

Users affected: All Cloudera Manager Users

Date/time of detection: November 2018

Severity (Low/Medium/High): High

Impact: When a malicious user generates a piece of JavaScript in the impala-shell and then goes to the Queries tab of the Impala service in Cloudera Manager, that piece of JavaScript code gets evaluated, resulting in an XSS.

CVE: CVE-2019-14449

Immediate action required: There is no workaround, upgrade to the latest available maintenance release.

Addressed in release/refresh/patch:
  • Cloudera Manager 5.16.2
  • Cloudera Manager 6.0.2, 6.1.1, 6.2.0, 6.3.0

Timestamp type-casted to varchar in a binary predicate can produce incorrect result

In an Impala query the timestamp can be type-casted to a varchar of smaller length to convert a timestamp value to a date string. However, if such Impala query is used in a binary comparison against a string literal, it can produce incorrect results, because of a bug in the expression rewriting code. The following is an example of this:
> select * from (select cast('2018-12-11 09:59:37' as timestamp) as ts) tbl where cast(ts as varchar(10)) = '2018-12-11';
The output will have 0 rows.

Products affected: Apache Impala

Releases affected:
  • CDH 5.15.0, 5.15.1, 5.15.2, 5.16.0, 5.16.1
  • CDH 6.0.0, 6.0.1, 6.1.0, 6.1.1

For the latest update on this issue see the corresponding Knowledge article:TSB 2019-358: Timestamp type-casted to varchar in a binary predicate can produce incorrect result

Inconsistent rows returned from queries in Kudu

Due to KUDU-2463, upon restarting Kudu, inconsistent rows may be returned from tables that have not recently been written to, resulting in any of the following:

  • multiple rows for the same key being returned
  • deleted data being returned
  • inconsistent results consistently being returned for the same query

If this happens, you have two options to resolve the conflicts: write to the affected Kudu partitions by:

  • re-deleting the known and deleted data
  • upserting the most up-to-date version of affected rows.

Products affected: Apache Kudu

Releases affected:
  • CDH 5.12.2, 5.13.3, 5.14.4, 5.15.1, 5.16.1
  • CDH 6.0.1, 6.1.0, 6.1.1

For the latest update on this issue see the corresponding Knowledge article:TSB 2019-353: Inconsistent rows returned from queries in Kudu

Upstream Issues Fixed

Apache Flume

  • FLUME-2973 - Deadlock in hdfs sink.
  • FLUME-3223 - Flume HDFS Sink should retry close prior recover lease.

Apache Hadoop

  • HADOOP-15442 - ITestS3AMetrics.testMetricsRegister should not know the name of the metrics source.
  • HDFS-11751 - DFSZKFailoverController daemon exits with the wrong status code.
  • HDFS-12683 - DFSZKFailOverController re-order logic for logging exception.
  • HDFS-14111 - hdfsOpenFile on HDFS causes unnecessary IO from file offset 0
  • MAPREDUCE-6382 - HTML links in the Diagnostics in JHS job overview must not be escaped.
  • MAPREDUCE-7125 - JobResourceUploader creates LocalFileSystem when it's not necessary.
  • MAPREDUCE-7131 - Job History Server has race condition where it moves files from intermediate to finished but thinks file is in intermediate.
  • YARN-4227 - Ignore expired containers from the removed nodes in FairScheduler.
  • YARN-4677 - RMNodeResourceUpdateEvent update from scheduler can lead to race condition.

Apache HBase

  • HBASE-16810 - HBase Balancer throws ArrayIndexOutOfBoundsException when regionservers are in /hbase/draining znode and unloaded
  • HBASE-17510 - DefaultMemStore gets the wrong heap size after rollback
  • HBASE-19730 - Backport HBASE-14497 Reverse Scan threw StackOverflow caused by readPt checking
  • HBASE-20604 - ProtobufLogReader#readNext can incorrectly loop to the same position in the stream until the the WAL is rolled
  • HBASE-21275 - Disable TRACE HTTP method for thrift http server
  • HBASE-21546 - ConnectException in TestThriftHttpServer

Apache Hive

  • HIVE-12476 - Metastore NPE on Oracle with Direct SQL
  • HIVE-13278 - Avoid FileNotFoundException when map/reduce.xml is not available
  • HIVE-13394 - Analyze table fails in Tez on empty partitions
  • HIVE-13592 - metastore calls map is not thread safe
  • HIVE-14557 - Nullpointer When both SkewJoin and Mapjoin Enabled
  • HIVE-14560 - Support exchange partition between S3 and HDFS tables
  • HIVE-14690 - Query fail when hive.exec.parallel=true, with conflicting session dir
  • HIVE-16839 - Unbalanced calls to openTransaction/commitTransaction when altering the same partition concurrently
  • HIVE-18778 - Needs to capture input/output entities in explain
  • HIVE-20331 - Query with union all, lateral view and Join fails with "cannot find parent in the child operator"
  • HIVE-20678 - HiveHBaseTableOutputFormat should implement HiveOutputFormat to ensure compatibility
  • HIVE-20695 - HoS Query fails with hive.exec.parallel=true
  • HIVE-21028 - get_table_meta should use a fetch plan to avoid race conditions ending up in NucleusObjectNotFoundException
  • HIVE-21044 - Improvments to HMS metrics
  • HIVE-21045 - Add connection pool info and rolling performance info to the metrics system

Hue

  • HUE-8388 - [oozie] Make Hue create a new workspace when importing an Oozie workflow instead of using the "deployment_dir" field
  • HUE-8450 - [editor] Embedded mode improvements for previous Hue version
  • HUE-8458 - [frontend] Improve application loading performance
  • HUE-8468 - [frontend] Dynamically adding styles in embedded mode fails in Internet Explorer (throws a Java script exception)
  • HUE-8584 - [useradmin] Errors returned for Add Sync Ldap Group
  • HUE-8585 - [useradmin] Errors returned for Add Sync Ldap Users
  • HUE-8631 - HBase is not accessible by way of the Hue server; instead returns "API Error."
  • HUE-8660 - [core] File browser cannot view files containing a hash (#) in the name
  • HUE-8691 - [useradmin] Attempting to add/sync group will not add users if the objectClass posixGroup exists in the LDAP entry
  • HUE-8692 - [useradmin] Group sync fails if all group members are not found with error "No such object"
  • HUE-8693 - [useradmin] Security application only displays 100 users in the impersonation list
  • HUE-8705 - [oozie] Hidden popup window is blocking the Query drop-down menu and the search box
  • HUE-8709 - [useradmin] Black transparent screen remains after confirmation modal is hidden
  • HUE-8746 - [pig] Add hcat support to the Pig Editor in Hue

Apache Impala

  • IMPALA-6323 - Impala now supports a constant in the window specifications.
  • IMPALA-7960 - Impala now returns a correct result when comparing TIMESTAMP to a string literal in a binary predicate where the TIMESTAMP is casted to VARCHAR of smaller length.
  • IMPALA-7961 - Fixed an issue where queries running with the SYNC_DDL query option can fail when the Catalog Server is under a heavy load with concurrent catalog operations of long-running DDLs.
  • IMPALA-8058 - Fixed cardinality estimates for HBase queries, which could sometimes yield hugely high numbers.
  • IMPALA-8109 - Impala can now read the gzip files bigger than 2 GB.
  • IMPALA-8212 - Fixed a race condition in the Kerberos authentication code.

Kite

  • KITE-1185 - Make root temp directory path configurable in HiveAbstractDatasetRepository

Apache Kudu

  • KUDU-1678 - Fixed a crash caused by a race condition between altering tablet schemas and deleting tablet replicas.
  • KUDU-2195 - Now you can use the ‑‑cmeta_force_fsync flag to fsync Kudu’s consensus metadata more aggressively. Setting this to true may decrease Kudu’s performance, but will improve its durability in the face of power failures and forced shutdowns. The issue was much more likely to happen when Kudu was running on XFS.
  • KUDU-2463 - Fixed an issue in which incorrect results would be occasionally returned in scans following a server restart.
  • CDH-76920 - Fixed the issue where the Kudu CLI crashes when running the 'kudu cluster rebalance' sub-command on some platforms.

Apache Oozie

  • OOZIE-3382 - Implement and backportOptimize SshActionExecutor's drainBuffers method

Apache Pig

  • PIG-5373 - InterRecordReader might skip records if certain sync markers are used
  • PIG-5374 - Use CircularFifoBuffer in InterRecordReader

Apache Sentry

  • SENTRY-2205 - Improve Sentry NN Logging.
  • SENTRY-2301 - Log where sentry stands in the snapshot fetching process, periodically
  • SENTRY-2372 - SentryStore should not implement grantOptionCheck
  • SENTRY-2419 - Log where sentry stands in the process of persisting the snpashot
  • SENTRY-2427 - PortUse Hadoop KerberosName class to derive shortName
  • SENTRY-2428 - Skip null partitions or partitions with null sds entries
  • SENTRY-2437 - PortWhen granting privileges a single transaction per grant causes long delays
  • SENTRY-2490 - PortWhen building a full perm update for each object we only build 1 privilege per role
  • SENTRY-2498 - Exception while deleting paths that does't exist
  • SENTRY-2502 - Modified BackportSentry NN plug-in stops fetching updates from sentry server.
  • SENTRY-2511 - Debug level logging on HMSPaths significantly affects performance

Apache Spark

  • SPARK-4224 - [CORE][YARN] Support group acls
  • SPARK-19019 - [PYTHON][BRANCH-1.6] Fix hijacked `collections.namedtuple` and port cloudpickle changes for PySpark to work with Python 3.6.0

Apache Zookeeper

Issues Fixed in CDH 5.16.1

CVE-2018-1296 Permissive Apache Hadoop HDFS listXAttr Authorization Exposes Extended Attribute Key/Value Pairs

AHDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

Products affected: Apache HDFS

Releases affected:
  • CDH 5.4.0 - 5.15.1, 5.16.0
  • CDH 6.0.0, 6.0.1, 6.1.0

Users affected: Users who store sensitive data in extended attributes, such as users of HDFS encryption.

Date/time of detection: Dcember 12, 2017

Detected by: Rushabh Shah, Yahoo! Inc., Hadoop committer

Severity (Low/Medium/High): Medium

Impact: HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. This affects features that store sensitive data in extended attributes.

CVE: CVE-2018-1296

Immediate action required:
  • Upgrade: Update to a version of CDH containing the fix.
  • Workaround: If a file contains sensitive data in extended attributes, users and admins need to change the permission to prevent others from listing the directory that contains the file.
Addressed in release/refresh/patch:
  • CDH 5.15.2, 5.16.1
  • CDH 6.1.1, 6.2.0

Apache Tomcat Vulnerability CVE-2018-11784

Fixed a vulnerability in Apache Tomcat where specially-crafted URLs could be used to redirect to any given URI. CVE-2018-11784.

Cloudera Issue: CDH-73885

Cloudera Search restore operation puts shard replicas on same host

Restoring an Apache Solr collection sometimes places all shard replicas on the same host.

Cloudera Issue: CDH-68828

Missing authorization in Apache Impala may allow data injection

A malicious user who is authenticated with Kerberos may have unauthorized access to internal services used by Impala to transfer intermediate data during query execution. If details of a running query (e.g. query ID, query plan) are available, a user can craft some RPC requests with custom software to inject data into a running query or end query execution prematurely, leading to wrong results of the query.

Cloudera Issue: CDH-72373 / TSB-338

CVE: CVE-2018-11785

Upstream Issues Fixed

Apache Hadoop

  • HADOOP-13426 - Improved IPC performance.
  • HADOOP-13483 - Fixed an issue where file-create overwrote directories instead of throwing error messages
  • HADOOP-15473 - Configured the serialFilter in KeyProvider to avoid UnrecoverableKeyException caused by JDK-8189997
  • HADOOP-15655 - Enhanced KMS client retry behavior. Previously, the KMS did not retry upon SocketTimeoutException.
  • HDFS-8229 - Fixed an issue where the LAZY_PERSIST file gets deleted after NameNode restart.
  • HDFS-10240 - Fixed a race between close/recoverLease leads to missing block
  • HDFS-12299 - Fixed a race between update pipeline and DN Re-Registration
  • HDFS-13051 - Fixed a dead lock during async editlog rolling if the edit queue is full.
  • HDFS-13322 - Fixed an issue where the UID persists when switching between ticket caches.
  • HDFS-13486 - Fixed an issue where a faulty node can cause a lease leak and NPE on accessing data.
  • HDFS-13601 - Optimized ByteString conversions in PBHelper.
  • HDFS-13611 - Fixed an issue where text was used as a ConcurrentHashMap key in PBHelperClient.
  • HDFS-13813 - Added a check to see if a child inode exists in the global FSDirectory directory when saving (serializing) INodeDirectorySection.
  • MAPREDUCE-7053 - Fixed an issue where Timed out tasks can fail to produce thread dump
  • YARN-6966 - Fixed an issue where NodeManager metrics may return wrong negative values when NM restart.
  • YARN-6967 - Fixed an issue where the limit for diagnostic message size was not honored
  • YARN-8436 - Fixed an issue where the ResourceManager can fail while sorting queues if an update comes in

Apache HBase

  • HBASE-15232 - Handle region location cache mgmt in AsyncProcess for multi()'s
  • HBASE-15390 - Unnecessary MetaCache evictions cause elevated number of requests to meta
  • HBASE-18891 - Upgrade to netty-all 4.0.50.Final
  • HBASE-19924 - hbase rpc throttling does not work for multi() with request count rater.
  • HBASE-20493 - Port HBASE-19994 (Create a new class for RPC throttling exception, make it retryable) to branch-1
  • HBASE-20651 - Master, prevents hbck or shell command to reassign the split parent region
  • HBASE-20723 - Custom hbase.wal.dir results in data loss because we write recovered edits into a different place than where the recovering region server looks for them
  • HBASE-20997 - rebuildUserRegions() does not build ReplicaMapping during master switchover

Apache Hive

Code Changes Should Not Be Required

The following fixes should not require code changes, but they contain improvements that might enhance your deployment:

  • HIVE-6980 - Drop table by using direct sql
  • HIVE-10296 - Cast exception observed when hive runs a multi join query on metastore (postgres), since postgres pushes the filter into the join, and ignores the condition before applying cast
  • HIVE-12981 - ThriftCLIService uses incompatible getShortName() implementation
  • HIVE-15237 - Propagate Spark job failure to Hive
  • HIVE-15860 - RemoteSparkJobMonitor may hang when RemoteDriver exits abnormally
  • HIVE-16483 - HoS should populate split related configurations to HiveConf
  • HIVE-17213 - HoS file merging doesn't work for union all
  • HIVE-18031 - Support replication for Alter Database operation
  • HIVE-18283 - Better error message and error code for HoS exceptions
  • HIVE-18765 - SparkClientImpl swallows exception messages from the RemoteDriver
  • HIVE-18916 - SparkClientImpl doesn't error out if spark-submit fails
  • HIVE-19259 - Create view on tables having union all fail with 'Table not found'
  • HIVE-19310 - Metastore: MetaStoreDirectSql.ensureDbInit has some slow DN calls which might need to be run only in test env
  • HIVE-19371 - Add table ownerType to HMS thrift API
  • HIVE-19372 - Add table ownerType to JDO/SQL and ObjectStore
  • HIVE-19374 - Parse and process ALTER TABLE SET OWNER command syntax
  • HIVE-19605 - TAB_COL_STATS table has no index on db/table name
  • HIVE-19668 - Over 30% of the heap wasted by duplicate org.antlr.runtime.CommonToken's and duplicate strings
  • HIVE-19783 - Retrieve only locations in HiveMetaStore.dropPartitionsAndGetLocations
  • HIVE-20183 - Inserting from bucketed table can cause data loss, if the source table contains empty bucket
  • HIVE-20345 - Drop database may hang if the tables get deleted from a different call

Hue

  • HUE-8118 - [core] Fine grain tracking of the memory usage
  • HUE-8118 - [core] The duration of the request is always shown even when instrumentation flag is off
  • HUE-8128 - [backend] Force debug logging in server logs does not get all debug
  • HUE-8162 - [core] Add delete operation to the right document assist
  • HUE-8177 - [oozie] Add a config check for /user/hue/oozie/workspaces
  • HUE-8377 - [security] Support new Sentry finer grain privileges
  • HUE-8377 - [security] Correctly apply the new permissions to the database scope
  • HUE-8451 - [notebook] Many "codec can't decode byte" errors on pig execution if browser language=jp
  • HUE-8464 - [core] Fix SAML encryption missing key file passphrase
  • HUE-8467 - [jobbrowser] Support impala digest auth for queries
  • HUE-8475 - [report] Protect against pivot conflicting with nested facets
  • HUE-8476 - [frontend] Fix jQuery Hive autocomplete column mapping
  • HUE-8487 - [useradmin] Fix Add Sync LDAP user fails when using DN with special character
  • HUE-8505 - [core] Close impala session on logout
  • HUE-8519 - [jb] Impala API can now directly return json
  • HUE-8558 - [jb] Add tracking URL to Spark Jobs and remove url and killUrl
  • HUE-8564 - [useradmin] Fix last activity update for jobbrowser/api/jobs requests
  • HUE-8564 - [useradmin] Fix last activity update for notebook/api/check_status
  • HUE-8571 - [sentry] navigator_api ERROR for PRIVILEGE_HIERARCHY[hierarchy[server][SENTRY_PRIVILEGE_KEY]['action']]
  • HUE-8602 - [sentry] Remove ALTER and DROP in the Hive section

Apache Impala

  • IMPALA-6086 - Require the SELECT privilege on the database for built-in function calls.
  • IMPALA-6451 - Fixed the AuthorizationException in CTAS for Kudu tables.
  • IMPALA-6479 - DESCRIBE now respects column level privileges and only shows the columns that the user has the privilege to view.
  • IMPALA-6571 - Fixed the NullPointerException in SHOW CREATE TABLE for HBase tables.
  • IMPALA-7225 - REFRESH..PARTITION no longer reset the number of rows in a partition.
  • IMPALA-7272 - Fixed the crash in StringMinMaxFilter.
  • IMPALA-7360 - Fixed an issue where Avro scanner sometimes skipped blocks when skip marker was on HDFS block boundary.
  • IMPALA-7419 - Fixed the NullPointerException in SimplifyConditionalsRule.
  • IMPALA-7483 - impalad/catalogd on JVM deadlock now get aborted.
  • IMPALA-7520 - Fixed the NullPointerException in SentryProxy.

Apache Kudu

  • KUDU-2260 - Fixed a rare issue where system failure could leave unexpected null bytes at the end of metadata files, causing Kudu to be unable to restart.
  • KUDU-2364 - Fixed an issue when a tablet server was wiped and recreated with the same RPC address, ksck listed it twice, both as healthy, even though only one of them was there.
  • KUDU-2412 - The kudu-python client can now compile in environments where __int128 is not supported. This was most commonly el6 environments.
  • KUDU-2509 - Fixed an issue that might result in a crash of a tablet server in case of a WAL replay error while bootstrapping a tablet.
  • KUDU-2580 - Fixed authentication token reacquisition in the C++ client.
  • Fixed an issue that caused the kudu CLI tool to unexpectedly exit when the connection to the master or tserver was abruptly closed.

Apache Oozie

  • OOZIE-2457 - Oozie log parsing regex consume more than 90% cpu
  • OOZIE-3193 - Applications are not killed when submitted via subworkflow
  • OOZIE-3354 - [core] [SSH action] SSH action gets hung
  • OOZIE-3370 - Property filtering is not consistent across job submission

Apache Pig

The following issues are fixed in CDH 6.1.1:

  • PIG-5373 - InterRecordReader might skip records if certain sync markers are used
  • PIG-5374 - Use CircularFifoBuffer in InterRecordReader

Apache Sentry

  • SENTRY-1272 - Enable ALTERVIEW_RENAME and ALTERVIEW_AS operation in hive binding
  • SENTRY-2194 - Upgrade Sentry hadoop-version dependency to 2.7.5
  • SENTRY-2210 - AUTHZ_PATH should have index on the foreign key AUTHZ_OBJ_ID
  • SENTRY-2214 - Sentry should not allow URI grants to EMPTY or NULL locations
  • SENTRY-2219 - Create index AUTHZ_PATH_FK_IDX at table AUTHZ_PATH only when it does not exist for Oracle
  • SENTRY-2238 - Explicitly set Database on SentryHivePrivilegeObjectDesc
  • SENTRY-2299 - NPE In Sentry HDFS Sync Plugin
  • SENTRY-2310 - Sentry is not be able to fetch full update subsequently, when there is HMS restart in the snapshot process.
  • SENTRY-2332 - Load hadoop default configuration when starting sentry service
  • SENTRY-2333 - Create index AUTHZ_PATH_FK_IDX at table AUTHZ_PATH for Postgres only when it does not exist
  • SENTRY-2403 - Incorrect naming in RollingFileWithoutDeleteAppender
  • SENTRY-2406 - Make sure inputHierarchy and outputHierarchy have unique values

Apache Solr

  • SOLR-12290 - Do not close any servlet streams and improve our servlet stream closing prevention code for users and devs.
  • SOLR-12293 - Updates need to use their own connection pool to maintain connection reuse and prevent spurious recoveries.

Apache Spark

  • SPARK-22864 - [CORE] Disable allocation schedule in ExecutorAllocationManagerSuite.
  • SPARK-25253 - [PYSPARK] Refactor local connection & auth code
  • SPARK-25318 - Add exception handling when wrapping the input stream during the the fetch or stage retry in response to a corrupted block

Apache Zookeeper

  • ZOOKEEPER-706 - Large numbers of watches can cause session re-establishment to fail
  • ZOOKEEPER-1382 - Zookeeper server holds onto dead/expired session ids in the watch data structures