CVE-2018-11765
First published: Wed Sep 30 2020(Updated: )
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Hadoop | >=2.8.0<=2.8.5 | |
| Apache Hadoop | >=2.9.0<=2.9.2 | |
| Apache Hadoop | =3.0.0 | |
| Apache Hadoop | =3.0.0-alpha2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20201016-0005/
- https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf%40%3Cdev.druid.apache.org%3E
- https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f%40%3Ccommits.druid.apache.org%3E
Frequently Asked Questions
What is CVE-2018-11765?
CVE-2018-11765 is a vulnerability in Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5 where any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
What is the severity of CVE-2018-11765?
The severity of CVE-2018-11765 is high with a severity value of 7.5.
How does CVE-2018-11765 affect Apache Hadoop?
CVE-2018-11765 affects Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5.
How can I fix CVE-2018-11765 in Apache Hadoop?
To fix CVE-2018-11765 in Apache Hadoop, users should enable SPNEGO through HTTP when Kerberos authentication is enabled.
Is there any reference material available for CVE-2018-11765?
Yes, reference material for CVE-2018-11765 can be found at the following links: [Link 1](https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E), [Link 2](https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E), [Link 3](https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E).
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/event
- agent/description
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache hadoop
- version/apache hadoop/2.8.0
- version/apache hadoop/2.8.5
- version/apache hadoop/2.9.0
- version/apache hadoop/2.9.2
- version/apache hadoop/3.0.0
- version/apache hadoop/3.0.0-alpha2