Technical Service Bulletins
Technical Service Bulletins and Customer Advisories for the Cloudera 7.3.1 release and its Service Packs and Cumulative Hotfixes.
TSB 2025-820: Potential Data Integrity Issues Found in Ozone
Learn more about the details communicated in TSB-820.
- Summary
- The Cloudera Engineering team has
identified the following data integrity issues with Apache Ozone (Ozone):
- In certain situations, handling of failure paths when recovering from
disk hardware failures, disk full situations, or over-replication can
result in the incorrect deletion of some storage containers on those
disk(s). In rare cases, all replicas of the container can be affected,
leading to the data within that container becoming unavailable. Under
certain extreme conditions, permanent data loss could
occur.
Reference: CDPD-83416
- A bug in the snapshot deep cleaning service and the object deletion path
can lead to potential missing blocks of a snapshot key. This can happen
only for the keys that were deleted from the active object store after
the snapshot was created.
Reference: CDPD-83417
- In certain situations, handling of failure paths when recovering from
disk hardware failures, disk full situations, or over-replication can
result in the incorrect deletion of some storage containers on those
disk(s). In rare cases, all replicas of the container can be affected,
leading to the data within that container becoming unavailable. Under
certain extreme conditions, permanent data loss could
occur.
- Component(s) affected
-
- Ozone
- Releases affected
-
- Cloudera 7.3.1
- Addressed in release/refresh/patch
-
- Cloudera 7.3.1.300 SP1 CHF 1
- Knowledge Base article
- For the latest update on this issue see the corresponding Knowledge Base article: TSB 2025-820: Potential Data Integrity Issues Found in Ozone
Apache Parquet CVE-2025-30065
Learn more about the details communicated in TSB-847.
- Background
-
On April 1, 2025, a critical vulnerability in the parquet-avro module of Apache Parquet (CVE-2025-30065, CVSS score 10.0) was announced.
Cloudera has determined the list of affected products, and is issuing this TSB to provide details of remediation for affected versions.
Upgraded versions are being released for all currently affected supported releases of Cloudera products. Customers using older versions are advised to upgrade to a supported release that has the remediation, once it becomes available.
- Vulnerability Details
-
Exploiting this vulnerability is only possible by modifying the accepted schema used for translating Parquet files and subsequently submitting a specifically crafted malicious file.
CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.
- Impact
-
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Attackers may be able to modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.
Deserialization vulnerabilities most commonly lead to undefined behavior, such as memory modification or remote code execution.
- Releases Affected
-
- Cloudera Runtime 7.3.1.100 CHF1 and lower versions
- Resolved In
-
- Cloudera Runtime 7.3.1.200 SP1
- Mitigation
-
Until Cloudera has released product version with the Apache Parquet vulnerability fix, please continue to use the the mitigations listed below:
Customers with their own FIM Solution:
-
Utilize a File Integrity Monitoring (FIM) solution. This allows administrators to monitor files at the filesystem level and receive alerts on any unexpected or suspicious activity in the schema configuration.
General advisory:
-
Use network segmentation and traffic monitoring with a device capable of deep packet inspection, such as a network firewall or web application firewall, to inspect all traffic sent to the affected endpoints. Configure alerts for any suspicious or unexpected activity. You may also configure sample analysis parameters to include:
-
Parquet file format “magic bytes” = PAR1
-
Connections from sending hosts that are not expected source IP ranges.
-
-
Be cautious with Parquet files from unknown or untrusted sources. If possible, do not process files with uncertain origins or that can be ingested from outside the organization.
-
Ensure that only authorized users have access to endpoints that ingest Parquet files.
-
- Knowledge Base article
- For the latest update on this issue see the corresponding Knowledge Base article: TSB 2025-847: Apache Parquet CVE-2025-30065