Support Questions

jeromedruais · ‎10-18-2021

Hi,

I found this new CVE for Hadoop (CVE-2020-9492).
The solution is to upgrade to Hadoop 2.10.1 but HDP 2.6.5 (with Apache Hadoop version 2.6.7) is the latest version of Apache Hadoop 2.

Could be possible to fix any CVE into HDP 2.6.5.

Thanks in advance.

nthomas · ‎10-18-2021

I dont see any fix for your version. However, you can use the below workaround:

If https is enabled which encrypts and authenticates the peer then it’s not an issue. Make sure dfs.http.policy in hdfs-site.xml = HTTPS_ONLY
refer: https://my.cloudera.com/knowledge/TSB-2021-406-CVE-2020-9492-Hadoop-filesystem-bindings-ie?id=312034

View solution in original post

nthomas · ‎10-18-2021

I dont see any fix for your version. However, you can use the below workaround:

If https is enabled which encrypts and authenticates the peer then it’s not an issue. Make sure dfs.http.policy in hdfs-site.xml = HTTPS_ONLY
refer: https://my.cloudera.com/knowledge/TSB-2021-406-CVE-2020-9492-Hadoop-filesystem-bindings-ie?id=312034

jeromedruais · ‎10-18-2021

Thanks for the asnwer regarding this security issue.

Generally speaking, does Cloudera could include future fixes in an old version ?

nthomas · ‎10-18-2021

Yes, if the version is supported. But as per https://www.cloudera.com/legal/policies/support-lifecycle-policy.html the support is already ended for HDP 2.6.5.

So, I would recommend upgrading the cluster to CDP for the latest features and security fixes.

Cloudera Community

Support Questions

does CVE-2020-9492 fixed in HDP 2.6.5