Technical Service Bulletins

Learn more about the details communicated in TSB-820.

Summary

The Cloudera Engineering team has identified the following data integrity issues with Apache Ozone (Ozone):

1. In certain situations, handling of failure paths when recovering from disk hardware failures, disk full situations, or over-replication can result in the incorrect deletion of some storage containers on those disk(s). In rare cases, all replicas of the container can be affected, leading to the data within that container becoming unavailable. Under certain extreme conditions, permanent data loss could occur.

   Reference: CDPD-83416

2. A bug in the snapshot deep cleaning service and the object deletion path can lead to potential missing blocks of a snapshot key. This can happen only for the keys that were deleted from the active object store after the snapshot was created.

   Reference: CDPD-83417

Component(s) affected

• Ozone

Releases affected

• Cloudera 7.3.1

Addressed in release/refresh/patch

• Cloudera 7.3.1.300 SP1 CHF 1

Knowledge Base article

For the latest update on this issue see the corresponding Knowledge Base article: TSB 2025-820: Potential Data Integrity Issues Found in Ozone

Learn more about the details communicated in TSB-835.

Summary

Executing the "Dry Run" action for Ozone replication schedules with a "Listing type" of "Incremental only" or "Incremental with fallback to full file listing" will result in a run where the changes are not replicated and also omitted from the subsequent replication runs.

Unless a "Full file listing" replication run is executed, the changes made between the dry run and the previous run are not replicated to the target. Such a scenario may occur when, during the dry run action of an Ozone replication policy with INCREMENTAL_ONLY and INCREMENTAL_WITH_FALLBACK_TO_FULL_FILE_LISTING replication type, generates a temporary snapshot on the source, which doesn't get deleted. On the next incremental run, all changes that occurred on the source Ozone bucket between the last successful run and the last dry run operation, will go unnoticed by the Replication Manager. This situation results in the failure to replicate such changes, to the destination Ozone bucket.

Component(s) affected

• Cloudera Replication Manager

Releases affected

• Cloudera Platform 7.3.1
• Cloudera Base on premises 7.1.9

Addressed in release/refresh/patch

• Cloudera Manager for Cloudera Platform 7.3.1
  • Cloudera Manager 7.13.1.400 (Dry Run feature is temporarily disabled)
• Cloudera Manager for Private Cloud Data Services
  • Cloudera Manager 7.11.3 CHF16 (Dry Run feature is temporarily disabled)

Knowledge Base article

For the latest update on this issue see the corresponding Knowledge Base article: TSB 2025-835: Dry run of incremental Ozone replication can cause failure to replicate some changes in Cloudera Replication Manager

Learn more about the details communicated in TSB-847.

Background

On April 1, 2025, a critical vulnerability in the parquet-avro module of Apache Parquet (CVE-2025-30065, CVSS score 10.0) was announced.

Cloudera has determined the list of affected products, and is issuing this TSB to provide details of remediation for affected versions.

Upgraded versions are being released for all currently affected supported releases of Cloudera products. Customers using older versions are advised to upgrade to a supported release that has the remediation, once it becomes available.

Vulnerability Details

Exploiting this vulnerability is only possible by modifying the accepted schema used for translating Parquet files and subsequently submitting a specifically crafted malicious file.

CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.

Impact

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Attackers may be able to modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.

Deserialization vulnerabilities most commonly lead to undefined behavior, such as memory modification or remote code execution.

Releases Affected

• Cloudera Runtime 7.3.1.100 CHF1 and lower versions

Resolved In

• Cloudera Runtime 7.3.1.200 SP1

Mitigation

Until Cloudera has released product version with the Apache Parquet vulnerability fix, please continue to use the the mitigations listed below:

Customers with their own FIM Solution:

1. Utilize a File Integrity Monitoring (FIM) solution. This allows administrators to monitor files at the filesystem level and receive alerts on any unexpected or suspicious activity in the schema configuration.

General advisory:

1. Use network segmentation and traffic monitoring with a device capable of deep packet inspection, such as a network firewall or web application firewall, to inspect all traffic sent to the affected endpoints. Configure alerts for any suspicious or unexpected activity. You may also configure sample analysis parameters to include:

   1. Parquet file format “magic bytes” = PAR1

   2. Connections from sending hosts that are not expected source IP ranges.

2. Be cautious with Parquet files from unknown or untrusted sources. If possible, do not process files with uncertain origins or that can be ingested from outside the organization.

3. Ensure that only authorized users have access to endpoints that ingest Parquet files.

Knowledge Base article

For the latest update on this issue see the corresponding Knowledge Base article: TSB 2025-847: Apache Parquet CVE-2025-30065