Fixed issues in 7.1.9 SP1 CHF 8

Know more about the cumulative hotfix 8 for 7.1.9 SP1.

Following are the list of fixes that were shipped for CDP Private Cloud Base version 7.1.9-1.cdh7.1.9.p1042.65851740.

CDPD-78266: Ozone Manager displays NullPointerException (NPE) when overwriting empty file using multipart upload: S3MultipartUploadCompleteRequestWithFSO displays NullPointerException when an empty file is being overwritten by non-zero file because omBucketInfo allows null value (null value is passed when non-update needed). This patch fix this by checking omBucketInfo before use.
CDPD-82201: OMKeyAclRequestWithFSO is incorrectly setting full path as key name: When you set, add, or remove an ACL for a FSO bucket, the key name gets corrupted with the full key path. This fix ensures the correct key name is set during the ACL calls.
CDPD-64865: Intermittent timeout in TestBlockDeletion.testBlockDeletion ( BlockDeletionService stuck): If the event of SCM exiting safe mode was triggered multiple times, this might eventually cause the SCMBlockDeletingService to transition into a PAUSING state. This fix addresses the issue.
CDPD-73278: Update OM, SCM, Datanode conf for RATIS-2135: Set raft.grpc.message.size.max to be 1MB larger than raft.server.log.appender.buffer.byte-limit for OM, SCM and Datanode.; Apache JIRA: HDDS-11320
CDPD-73736: DN Startup fails with "RuntimeException: Can't start the HDDS datanode plugin" error: Remove the predefined hdds.ratis.raft.grpc.message.size. Its default value is determined by hdds.container.ratis.log.appender.queue.byte-limit + 1MB = 33MB.; Apache JIRA: HDDS-11375
CDPD-78932: Container replication should be atomic: During container replication, the destination node imports the container from the source node. If any issues are encountered during the import process, the Datanode is responsible for gracefully cleaning up any residual or stale container metadata to maintain system integrity.; Apache JIRA: HDDS-12233
CDPD-80742: ConstraintViolationException was crashing the ContainerHealthTask in Ozone Recon: ConstraintVoilationException was crashing the ContainerHealthTask in Recon. After this fix, task will not crash and continue to identify the Unhealthy containers in SCM if any.; Apache JIRA: HDDS-12585
CDPD-81939: Volume scanner should fail volume if rocksDB is inaccessible: When RocksDB becomes unreadable on a DataNode due to disk-related issues, the DataNode will mark the affected storage volume as unhealthy. This proactive health marking enables the system to initiate data replication processes more rapidly, thereby maintaining data availability and integrity.; Apache JIRA: HDDS-12723
CDPD-78384: Volume should not be marked as unhealthy when the disk is full: When the disk is about to be full, ignore checking write check during volume scanner.; Apache JIRA: HDDS-12239
CDPD-78960: Container import processing should respect reserved space at DN: Reserve space during container import during replication similar to create container.; Apache JIRA: HDDS-12235
CDPD-78506: Fix PATH environment variable creation for Shell action: With this fix, in Oozie's shell actions, the PATH environment variable is evaluated based on the YARN NodeManager host's settings. So, the PATH environment variable applies to the Launcher AM container when executed, rather than being evaluated on the Oozie server's JVM (the legacy method). You can revert to the legacy behavior by setting oozie.action.shell.setup-path-in-oozie-server to true in oozie-site.xml.
Also, from now, Oozie also allows defining action-specific environment variables using oozie.launcher.<***ACTION_TYPE***>.action.env.<***VARIABLE_NAME***> allowing you to customize execution environments for each action type in the Launcher AM.

CDPD-81435: Upgrade commons-vfs2 to 2.10 due to CVE-2025-27553: The commons-vfs2 version is updated to 2.10 to fix vulnerability issues.
CDPD-81401: Impala SQL queries that include the WITH clause should populate lineage in Atlas: Previously, only Impala SQL queries that don't use the "WITH" clause could be shown with their lineage in Atlas, but queries that do use the "WITH" clause could not be shown with lineage in Atlas.
Currently. Impala SQL queries using the "WITH" clause are supported.
CDPD-80921: Without a permission for one glossary, the /glossary call throws exception and it does not list the remaining glossaries: The getGlossaries method in GlossaryService is updated to ensure that the full paginated list is retrieved, even if some glossaries are skipped. This method includes the following improvements:

Handling skipped glossaries: If some entities fail to load, it fetches additional entities until the requested limit is met.

Efficient pagination: Keeps fetching until it gets the required number of valid glossaries.

Preventing infinite loops: method stops when either the required number of glossaries is retrieved or there are no more to fetch.; Apache JIRA: ATLAS-4995
CDPD-78832: Livy:Bootstrap upgrade/replacement due to EOL and CVEs: The bootstrap version is updated to the latest supported version.
CDPD-77911: Missing Log4j Redactor dependency: The class org.cloudera.log4j.redactor.RedactorAppender is made available in classpath after adding the org.cloudera.logredactor dependency to Atlas pom.xml. Providing the dependency ensures log redaction, avoiding potentially exposing credentials or PII in logs. This also prevents possible Log4j errors during startup.
CDPD-61527: Accessing Impala service through Knox on FIPS clusters fails with SSL error code 5: Resolved an issue that caused SSL error code 5 when accessing the Impala service through Knox on FIPS-enabled clusters.
CDPD-81309: Ranger KMS with Oracle DB was not supported for Navigator Encrypt: Navigator Encrypt deposit registration is failing with Ranger KMS DB with Oracle DB setup with the following error:
java.sql.SQLSyntaxErrorException: ORA-02289: sequence does not exist Error Code: 2289
The issue is fixed now.
CDPD-27801: Knox is missing HSTS header for HTTP 404 responses: Resolved an issue where Knox was missing the HTTP Strict-Transport-Security response header (HSTS) in HTTP 404 responses. The global HSTS header can now be configured to be included in all HTTP responses. This feature introduces additional security layer for the HTTPS connections. For web applications using HSTS, browsers will be instructed to not perform attempts of unencrypted connections to particular domain even if they find URL-s for such.; To configure the HSTS header, go to Cloudera Manager > Knox > Configuration, search for the Knox Service Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml property, and set the following parameters to true:

gateway.strict.transport.enabled

gateway.strict.transport.option: (Optional) Use this parameter to specify a timeout value for the HTTS header. This parameter is applicable only if gateway.strict.transport.enabled is set to true.; Apache JIRA: KNOX-3111
CDPD-81228: Backport KUDU-3647 more robust zlib wrapper code: This fix improves robust error handling for the utility wrappers zlib::{CompressLevel, Uncompress}(). It also resolves a data corruption issue in Base64Decode(), where trailing bytes encoded as 'A' were previously discarded.
CDPD-77972: Backport KUDU-3638, disable KUDU-3486 behavior by default: This fix addresses an issue with tombstoned tablets caused by functionality introduced in KUDU-3486. The fix disables this functionality by updating the Heartbeater:threaf:last_tombstoned_report_time_ field. To re-enable the behavior, adjust the --tserver_send_tombstoned_tablets_report_interval_secs flag as needed.
CDPD-80268: Hide logout button when configured with Knox: In environments where Hue is configured with Knox, the Hue interface displayed the logout button,although logout must handled by Knox. The logout button is now hidden in the Hue interface when Knox authentication is enabled.
CDPD-80574: Wrong results when CASE expressions has function calls referencing CHAR type expressions or columns: Queries using CASE expressions with nested function calls (such as UPPER()) having CHAR type expressions or columns as parameters returned incorrect results due to type mismatches and whitespace handling during execution.; Example:
case upper(col1) when 'A' then 'OK' else 'N/A' end Where col1 is a CHAR type column; The issue was addressed by ensuring consistent type casting during query planning so that CHAR values are compared correctly after conversion.
Apache Jira: HIVE-28792
CDPD-78680: Selected long string values are getting truncated in the react-select control: On the Ranger React UI, the react-select input values are getting truncated for long values.
This issue is fixed. The selected long input string values are not getting truncated on the Ranger React UI.
CDPD-81709: Update parquet-avro to 1.15.1 due to CVE-2025-30065: Due to CVE-2025-30065, schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and earlier versions allows bad actors to execute arbitrary code.
To avoid this CVE, the parquet-avro module is upgraded to version 1.15.1.
CDPD-81755: Restrict trusted packages in the parquet-avro module: Due to CVE-2025-30065, schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and earlier versions allows bad actors to execute arbitrary code.
To prevent this CVE, users must specify all the trusted packages in the org.apache.parquet.avro.SERIALIZABLE_PACKAGES environment variable. If the user does not want to specify the override property, then the following packages that are trusted by default are allowed — java.lang, java.math, java.io, java.net, org.apache.parquet.avro.
CDPD-81687: Performance improvement for DelegationTokenSecretManager: This fix optimizes the object locking by KMS threads and improves the overall KMS throughput. The fix is a part of hadoop-common.

Common Vulnerabilities and Exposures (CVE) that is fixed in this CHF:

CVE-2024-1735 - Armeria
CVE-2025-27553 - Commons-vfs2
CVE-2025-30474 - Commons-vfs2
CVE-2025-27152 - Axios
CVE-2025-30065 - Apache Parquet