CVE-2018-11768

Vulnerability

Description

CVE-2018-11768 is an information integrity flaw in Apache Hadoop affecting versions 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4. The root cause lies in how the NameNode serializes UserGroupInformation (UGI) data when writing the filesystem image (fsimage) and subsequently deserializes it upon restart or checkpoint loading. A corruption in the stored user/group mappings can occur, meaning that when the system reads the fsimage back, the permissions associated with files and directories may be attributed to the wrong users or groups [1][2].

Attack

Vector and Prerequisites

No specific exploit code or authentication bypass is described; the vulnerability is triggered internally during normal Hadoop operations—specifically when the NameNode persists its metadata. An attacker does not directly interact with the fsimage corruption; rather, the corruption arises from a software defect in the serialization/deserialization logic. However, if an adversary can control which files or directories are created (e.g., by submitting jobs that create data under a controlled identity), they might influence the metadata that becomes corrupted, potentially aligning the outcome with their goals. No network privileges beyond standard access to the HDFS cluster are required, though the corruption affects all filesystem operations post-restart [2].

Impact

A successful corruption of user/group information can lead to two serious outcomes: (1) a user may gain unauthorized access to files or directories that should have been owned by another user, effectively bypassing access control lists; (2) an administrator or automated tool may see incorrect ownership, leading to misconfiguration or security misjudgments. Because HDFS relies on Linux-like POSIX permissions (user, group, others), a corrupt UGI mapping can result in privilege escalations or data leakage, depending on the specific permissions applied to the affected inodes. The impact is primarily on data confidentiality and integrity, as the corrupted metadata may persist until manually corrected [2].

Mitigation

Status

The vulnerability is fully patched in Apache Hadoop 3.2.0 and later, 3.1.2, 2.9.2, and 2.8.5. Users running any of the impacted versions should upgrade to these fixed releases. No workaround other than upgrading is documented; admins should also audit the current fsimage for any inconsistent UGI entries after upgrade. The issue has not been listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the last check [1][2].