Cloudera Docs

Fixed Issues in Cloudera Runtime 7.2.18.900

You can review the list of reported issues and their fixes in Cloudera Runtime 7.2.18.900.

CDPD-79595: RMS full-sync breaks due to unsupported schema
RMS supports HDFS and Ozone file-system in private cloud and S3 in public cloud. The supported file schema types are hdfs, s3a, o3fs, and ofs. If Hive table location was stored at other file-system which was not supported by the RMS, then full-sync threw exception, due to unsupported schema. The full-sync was never completed.

This fix skips the unsupported file schema types while processing table and database metadata during full-sync and delta-sync in RMS. Therefore, table and database locations stored at other file-system, which is not supported by the RMS, are not mapped and appropriate messages are logged in RMS server log file.

CDPD-75089: Restrict trusted packages in ReflectData and SpecificData
Schema parsing in the Java SDK of Apache Avro had an issue that could allow malicious actors to execute arbitrary code when reading Avro data. The issue was resolved by restricting trusted packages in ReflectData and SpecificData.

Apache Jira: AVRO-3985

CDPD-64950: Deadlock during Spark shutdown due to duplicate transaction cleanup
During Spark application shutdown, transactions were being closed by two separate mechanisms at the same time. This parallel cleanup could result in a deadlock, especially when the heartbeat interval was set to a low value. The issue was addressed by ensuring that transaction cleanup occurs through a single mechanism during shutdown, avoiding concurrent execution and potential deadlocks.
CDPD-79911: Netty upgrade to 4.1.118.Final
Upgraded netty to 4.1.118.Final due to CVE-2025-24970, CVE-2025-25193.
CDPD-64286: Hue - Metrics cannot restore database connections on failure
This fix resolves an issue where Hue could not establish a new database connection following a backend database restart, ensuring that all metrics are computed consistently after such events.
CDPD-81576: Restrict trusted packages in the parquet-avro module
Due to CVE-2025-30065, schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and earlier versions allows bad actors to execute arbitrary code. To prevent this CVE, users must specify all the trusted packages in the org.apache.parquet.avro.SERIALIZABLE_PACKAGES environment variable. If the user does not want to specify the override property, then the following packages that are trusted by default are allowed — java.lang, java.math, java.io, java.net, org.apache.parquet.avro.
Fixed Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures (CVEs) that are fixed in this release are: