Lucene search

Redhat.comRH:CVE-2018-11765

HistorySep 29, 2020 - 3:50 p.m.

CVE-2018-11765

2020-09-2915:50:50

redhat.com

access.redhat.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

67.9%

JSON

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

Mitigation

Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If it is not possible and affected version of Apache Hadoop is used, SPNEGO through HTTP should be enabled.

References

bugzilla.redhat.com/show_bug.cgi?id=1883549

nvd.nist.gov/vuln/detail/CVE-2018-11765

seclists.org/oss-sec/2020/q3/198

www.cve.org/CVERecord?id=CVE-2018-11765

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

67.9%

JSON

Related for RH:CVE-2018-11765