CVE-2018-11768: Buffer Overflow
First published: Fri Oct 04 2019(Updated: )
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Hadoop | >=2.2.0<=2.8.4 | |
| Apache Hadoop | >=2.9.0<=2.9.1 | |
| Apache Hadoop | >=3.0.1<=3.0.3 | |
| Apache Hadoop | >=3.1.0<=3.1.1 | |
| Apache Hadoop | =2.0.0 | |
| Apache Hadoop | =2.0.0-alpha | |
| Apache Hadoop | =2.0.1 | |
| Apache Hadoop | =2.0.1-alpha | |
| Apache Hadoop | =2.0.2 | |
| Apache Hadoop | =2.0.2-alpha | |
| Apache Hadoop | =2.0.3 | |
| Apache Hadoop | =2.0.3-alpha | |
| Apache Hadoop | =2.0.4 | |
| Apache Hadoop | =2.0.4-alpha | |
| Apache Hadoop | =2.0.5 | |
| Apache Hadoop | =2.0.5-alpha | |
| Apache Hadoop | =2.0.6 | |
| Apache Hadoop | =2.0.6-alpha | |
| Apache Hadoop | =2.1.0 | |
| Apache Hadoop | =2.1.0-beta | |
| Apache Hadoop | =2.1.1-beta | |
| Apache Hadoop | =3.0.0 | |
| Apache Hadoop | =3.0.0-alpha1 | |
| Apache Hadoop | =3.0.0-alpha2 | |
| Apache Hadoop | =3.0.0-alpha3 | |
| Apache Hadoop | =3.0.0-alpha4 | |
| Apache Hadoop | =3.0.0-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/ceb16af9139ab0fea24aef935b6321581976887df7ad632e9a515dda@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/f20bb4e055d8394fc525cc7772fb84096f706389043e76220c8a29a4@%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf%40%3Cgeneral.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378%40%3Cgeneral.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600%40%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a%40%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/f20bb4e055d8394fc525cc7772fb84096f706389043e76220c8a29a4%40%3Chdfs-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/ceb16af9139ab0fea24aef935b6321581976887df7ad632e9a515dda%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E
Frequently Asked Questions
What is the vulnerability CVE-2018-11768?
The vulnerability CVE-2018-11768 is a user/group information corruption vulnerability in Apache Hadoop.
What software versions are affected by CVE-2018-11768?
The software versions affected by CVE-2018-11768 include Apache Hadoop 2.2.0 to 2.8.4, 2.9.0 to 2.9.1, 3.0.1 to 3.0.3, and 3.1.0 to 3.1.1.
What is the severity of CVE-2018-11768?
CVE-2018-11768 has a severity rating of 7.5 (high).
What is the Common Weakness Enumeration (CWE) ID for CVE-2018-11768?
The Common Weakness Enumeration (CWE) ID for CVE-2018-11768 is 119.
Are there any references available for CVE-2018-11768?
Yes, you can find references for CVE-2018-11768 at the following links: [Link 1](https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E), [Link 2](https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E), [Link 3](https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6@%3Cdev.lucene.apache.org%3E).
- collector/nvd-index
- agent/event
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache hadoop
- version/apache hadoop/2.2.0
- version/apache hadoop/2.8.4
- version/apache hadoop/2.9.0
- version/apache hadoop/2.9.1
- version/apache hadoop/3.0.1
- version/apache hadoop/3.0.3
- version/apache hadoop/3.1.0
- version/apache hadoop/3.1.1
- version/apache hadoop/2.0.0
- version/apache hadoop/2.0.0-alpha
- version/apache hadoop/2.0.1
- version/apache hadoop/2.0.1-alpha
- version/apache hadoop/2.0.2
- version/apache hadoop/2.0.2-alpha
- version/apache hadoop/2.0.3
- version/apache hadoop/2.0.3-alpha
- version/apache hadoop/2.0.4
- version/apache hadoop/2.0.4-alpha
- version/apache hadoop/2.0.5
- version/apache hadoop/2.0.5-alpha
- version/apache hadoop/2.0.6
- version/apache hadoop/2.0.6-alpha
- version/apache hadoop/2.1.0
- version/apache hadoop/2.1.0-beta
- version/apache hadoop/2.1.1-beta
- version/apache hadoop/3.0.0
- version/apache hadoop/3.0.0-alpha1
- version/apache hadoop/3.0.0-alpha2
- version/apache hadoop/3.0.0-alpha3
- version/apache hadoop/3.0.0-alpha4
- version/apache hadoop/3.0.0-beta1