All Cloudera Product Issues

Heartbleed Vulnerability in OpenSSL

The Heartbleed vulnerability is a serious vulnerability in OpenSSL as described at http://heartbleed.com/ (OpenSSL TLS heartbeat read overrun, CVE-2014-0160). Cloudera products do not ship with OpenSSL, but some components use this library. Customers using OpenSSL with Cloudera products need to update their OpenSSL library to one that doesn’t contain the vulnerability.

Products affected:
  • All versions of OpenSSL 1.0.1 prior to 1.0.1g
Components affected:
  • Hadoop Pipes uses OpenSSL.
  • If SSL encryption is enabled for Impala's RPC implementation (by setting --ssl_server_certificate). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
  • If HTTPS is enabled for Impala’s debug web server pages (by setting --webserver_certificate_file). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
  • If HTTPS is used with Hue.
  • Cloudera Manager agents, with TLS turned on, will use OpenSSL.
Users affected:
  • All users of the above scenarios.

Severity: High (If using the scenarios above)

CVE: CVE-2014-0160

Immediate action required:
  • Ensure your Linux distribution version does not have the vulnerability.