CVE-2018-11765
Description
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authentication in Apache Hadoop allows unauthenticated users to access certain servlets when Kerberos is enabled but SPNEGO is not.
Vulnerability
Description
When Kerberos authentication is enabled in Apache Hadoop, the SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) through HTTP is expected to protect access to servlets. However, in affected versions — including all releases from 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, and 2.8.0 to 2.8.5 — an attacker can bypass this protection. The root cause lies in the failure to enforce authentication on some servlets when SPNEGO is not active over HTTP, leaving a gap in the access control logic.
Attack
Surface and Exploitation
An attacker does not need any prior authentication or special privileges. By simply sending HTTP requests to the vulnerable servlets, they can interact with Apache Hadoop services. This is exploitable over the network without any credentials, requiring only that Kerberos be enabled and SPNEGO disabled or misconfigured.
Impact
Unauthenticated access to these servlets may allow an attacker to read sensitive data, trigger actions, or perform operations that should require authentication. The severity is rated as critical, as it undermines the intended security posture of the Hadoop deployment.
Mitigation
Apache Software Foundation has released patches in newer versions. Users should upgrade to Hadoop 3.0.1, 2.9.3, 2.8.6, or later. If upgrading is not immediately possible, administrators can consider enabling SPNEGO over HTTP or implementing additional network-level access controls to protect these endpoints [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-mainMaven | >= 3.0.0-alpha2, < 3.0.1 | 3.0.1 |
org.apache.hadoop:hadoop-mainMaven | >= 2.9.0, < 2.9.3 | 2.9.3 |
org.apache.hadoop:hadoop-mainMaven | >= 2.8.0, < 2.8.6 | 2.8.6 |
Affected products
2- Apache/Hadoopdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
25- github.com/advisories/GHSA-rhh9-cm65-3w54ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11765ghsaADVISORY
- lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf%40%3Cdev.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20201016-0005ghsaWEB
- security.netapp.com/advisory/ntap-20201016-0005/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.