Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Removing Spark1.6

Labels:
avatar
author-rank JTRexp
Explorer

Created on ‎11-06-2018 08:51 AM - edited ‎09-16-2022 06:52 AM

We're using CDH 5.12.1 currently, which ships with Spark1.6. We have deployed Spark2.3 on the cluster, which is the distribution that we're actively using, and is working fine.

 

However, this does mean that we've got Spark1.6 binaries on our servers. Our security scans have picked these up as a vulnerability and we'd like to go ahead and remove them.

 

I'm wondering if anyone has attempted something like this before? If so, do they have any advice regarding it? I was simply going to have a look at what Spark1.6 files there are, then write a script that looped through our cluster and removed those files.

 

If someone has a more "official" way of doing things, that would be preferable. I'm more than aware that my proposal wouldn't exactly be supported.

 

As a follow up, have the Spark1.6 binaries been removed from more recent CDH versions?

3,397 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
SaraNab author-rank
Cloudera Employee

Created ‎11-20-2018 04:37 AM

- CVE-2018-8024: doesn’t affect Spark1.6. - CVE-2018-1334: fixed in CDH5.14.4, CDH5.15.1, CDH5.12.3 and CDH5.16.0. You can upgrade to one of these versions to resolve the issue.

View solution in original post

3,419 Views
0 Kudos
1
4 REPLIES 4

avatar
SaraNab author-rank
Cloudera Employee

Created ‎11-20-2018 04:37 AM

- CVE-2018-8024: doesn’t affect Spark1.6. - CVE-2018-1334: fixed in CDH5.14.4, CDH5.15.1, CDH5.12.3 and CDH5.16.0. You can upgrade to one of these versions to resolve the issue.
3,420 Views
0 Kudos
1

avatar
author-rank Yuexin Zhang author-rank
Expert Contributor

Created ‎05-10-2019 02:51 AM

 CVE-2018-1334 is fixed in CDH 5.15.1 and higher version.

2,595 Views
0 Kudos

avatar
author-rank Yuexin Zhang author-rank
Expert Contributor

Created ‎05-13-2019 04:29 AM

To be more acturate, technically, CVE-2018-1334 is fixed in CDH 5.14.4.

 

But there's a new issue been found with similar privilege escalation vulnerability, which is CVE-2018-11760. We fixed CVE-2018-11760 in CDH 5.15.1. So with CDH 5.15.1, you won't be affected by these two similar privilege escalation vulnerabilities.

2,566 Views
0 Kudos

avatar
author-rank PatliGalli
New Contributor

Created on ‎05-28-2019 10:30 AM - edited ‎05-28-2019 11:24 AM

Hi Sara, I run vulnerability scans and our scanner picking up Spark 1.6 banner from the following path- for

CVE-2018-8024 vulnerability, you did mention this vulnerability doesn't affect SPark 1.6 but didn't give detail reasons. This is where Qualys picksup the banner-

/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/spark/conf/spark-env.sh: line 75: /usr/appl/cloudera/java/jdk1.8.0_162: is a directory

Welcome to
____              __
/ __/__  ___ _____/ /__
_\ \/ _ \/ _ `/ __/  '_/
/___/ .__/\_,_/_/ /_/\_\   version 1.6.0
/_/

 

Also we have 2 versions of SPARK running- do you really need version 1.6 to run v 2.3.0

Can you please help, advise.

 

2,509 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements