CVE-2018-11768 in regards to Solr

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-2018-11768 in regards to Solr

Kyle Gerald Lamkin

Hello Solr Devs,

 

I'm looking for some information about CVE-2018-11768, a Hadoop vulnerability. In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the closest fixed version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not affected.

 

I was unable to find an Jira item for this, should I open one for it or is it not applicable?

 

Thanks for your time.

 
 
Regards,
 
Kyle (K.G.) Lamkin

E-mail: [hidden email]
 

--------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2018-11768 in regards to Solr

Kevin Risden-3
Solr interacts with Hadoop only as a client. (except in integration tests). From the https://hadoop.apache.org/cve_list.html page, this looks like it is only an issue in the fsimage which is server side for the Namenode. I don't think that CVE-2018-11768 applies to Solr directly.

CVE-2018-11768 Apache Hadoop HDFS FSImage Corruption
There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage.

This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix.

Kevin Risden


On Tue, Oct 29, 2019 at 12:52 PM Kyle Gerald Lamkin <[hidden email]> wrote:

Hello Solr Devs,

 

I'm looking for some information about CVE-2018-11768, a Hadoop vulnerability. In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the closest fixed version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not affected.

 

I was unable to find an Jira item for this, should I open one for it or is it not applicable?

 

Thanks for your time.

 
 
Regards,
 
Kyle (K.G.) Lamkin

E-mail: [hidden email]
 

--------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CVE-2018-11768 in regards to Solr

Bradley Parker-2
Awesome, thanks for the response Kevin we really appreciate it!
 
Bradley Parker
Security Developer
IBM Security Systems (QRadar)
[hidden email]

IBM Security
 
 
----- Original message -----
From: Kevin Risden <[hidden email]>
To: [hidden email]
Cc: Bradley Parker <[hidden email]>
Subject: [EXTERNAL] Re: CVE-2018-11768 in regards to Solr
Date: Tue, Oct 29, 2019 2:02 PM
 
Solr interacts with Hadoop only as a client. (except in integration tests). From the https://hadoop.apache.org/cve_list.html page, this looks like it is only an issue in the fsimage which is server side for the Namenode. I don't think that CVE-2018-11768 applies to Solr directly.

CVE-2018-11768 Apache Hadoop HDFS FSImage Corruption
There is a mismatch in the size of the fields used to store user/group information between memory and disk representation. This causes the user/group information to be corrupted across storing in fsimage and reading back from fsimage.

This vulnerability fix contains a fsimage layout change, so once the image is saved in the new layout format you cannot go back to a version that doesn’t support the newer layout. This means that once 2.7.x users upgraded to the fixed version, they cannot downgrade to 2.7.x because there is no fixed version in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the vulnerability fix.
 
Kevin Risden
 
On Tue, Oct 29, 2019 at 12:52 PM Kyle Gerald Lamkin <[hidden email]> wrote:

Hello Solr Devs,

 

I'm looking for some information about CVE-2018-11768, a Hadoop vulnerability. In 7.7.2 Solr ships with Hadoop 2.7.4 which is affected, the closest fixed version is 2.8.5. Solr 8.x ships with Hadoop 3.2 which is not affected.

 

I was unable to find an Jira item for this, should I open one for it or is it not applicable?

 

Thanks for your time.

 
 
Regards,
 
Kyle (K.G.) Lamkin

E-mail: [hidden email]
 

--------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]
 

--------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]