question Re: does CVE-2020-9492 fixed in HDP 2.6.5 in Support Questions

does CVE-2020-9492 fixed in HDP 2.6.5

jeromedruais — Mon, 18 Oct 2021 07:58:47 GMT

Hi,

I found this new CVE for Hadoop (CVE-2020-9492).
The solution is to upgrade to Hadoop 2.10.1 but HDP 2.6.5 (with Apache Hadoop version 2.6.7) is the latest version of Apache Hadoop 2.

Could be possible to fix any CVE into HDP 2.6.5.

Thanks in advance.

Re: does CVE-2020-9492 fixed in HDP 2.6.5

nthomas — Mon, 18 Oct 2021 09:12:04 GMT

I dont see any fix for your version. However, you can use the below workaround:

If https is enabled which encrypts and authenticates the peer then it’s not an issue. Make sure dfs.http.policy in hdfs-site.xml = HTTPS_ONLY
refer: https://my.cloudera.com/knowledge/TSB-2021-406-CVE-2020-9492-Hadoop-filesystem-bindings-ie?id=312034

Re: does CVE-2020-9492 fixed in HDP 2.6.5

jeromedruais — Mon, 18 Oct 2021 10:12:54 GMT

Thanks for the asnwer regarding this security issue.

Generally speaking, does Cloudera could include future fixes in an old version ?

Re: does CVE-2020-9492 fixed in HDP 2.6.5

nthomas — Mon, 18 Oct 2021 10:19:28 GMT

Yes, if the version is supported. But as per https://www.cloudera.com/legal/policies/support-lifecycle-policy.html the support is already ended for HDP 2.6.5.

So, I would recommend upgrading the cluster to CDP for the latest features and security fixes.