All Cloudera Product Issues

Heartbleed Vulnerability in OpenSSL

The Heartbleed vulnerability is a serious vulnerability in OpenSSL as described at http://heartbleed.com/ (OpenSSL TLS heartbeat read overrun, CVE-2014-0160). Cloudera products do not ship with OpenSSL, but some components use this library. Customers using OpenSSL with Cloudera products need to update their OpenSSL library to one that doesn’t contain the vulnerability.

Products affected:
  • All versions of OpenSSL 1.0.1 prior to 1.0.1g
Components affected:
  • Hadoop Pipes uses OpenSSL.
  • If SSL encryption is enabled for Impala's RPC implementation (by setting --ssl_server_certificate). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
  • If HTTPS is enabled for Impala’s debug web server pages (by setting --webserver_certificate_file). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
  • If HTTPS is used with Hue.
  • Cloudera Manager agents, with TLS turned on, will use OpenSSL.
Users affected:
  • All users of the above scenarios.

Severity: High (If using the scenarios above)

CVE: CVE-2014-0160

Immediate action required:
  • Ensure your Linux distribution version does not have the vulnerability.

“POODLE” Vulnerability on SSL/TLS enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, announced by Bodo Möller, Thai Duong, and Krzysztof Kotowicz at Google, forces the use of the obsolete SSLv3 protocol and then exploits a cryptographic flaw in SSLv3. The result is that an attacker on the same network as the victim can potentially decrypt parts of an otherwise encrypted channel.

SSLv3 has been obsolete, and known to have vulnerabilities, for many years now, but its retirement has been slow because of backward-compatibility concerns. SSLv3 has in the meantime been replaced by TLSv1, TLSv1.1, and TLSv1.2. Under normal circumstances, the strongest protocol version that both sides support is negotiated at the start of the connection. However, an attacker can introduce errors into this negotiation and force a fallback to the weakest protocol version -- SSLv3.

The only solution to the POODLE attack is to completely disable SSLv3. This requires changes across a wide variety of components of CDH, and in Cloudera Manager.

Products affected: Cloudera Manager and CDH.

Releases affected: All CDH and Cloudera Manager versions earlier than the versions listed below:
  • Cloudera Manager and CDH 5.2.1
  • Cloudera Manager and CDH 5.1.4
  • Cloudera Manager and CDH 5.0.5
  • CDH 4.7.1
  • Cloudera Manager 4.8.5

Users affected: All users

Date and time of detection: October 14th, 2014.

Severity: (Low/Medium/High): Medium. NIST rates the severity at 4.3 out of 10 .

Impact: Allows unauthorized disclosure of information; allows component impersonation.

CVE: CVE-2014-3566

Immediate action required:Upgrade CDH and Cloudera Manager as follows:
  • If you are running Cloudera Manager and CDH 5.2.0, upgrade to Cloudera Manager and CDH 5.2.1
  • If you are running Cloudera Manager and CDH 5.1.0 through 5.1.3, upgrade to Cloudera Manager and CDH 5.1.4
  • If you are running Cloudera Manager and CDH 5.0.0 through 5.0.4, upgrade to Cloudera Manager and CDH 5.0.5
  • If you are running a CDH version earlier than 4.7.1, upgrade to CDH 4.7.1
  • If you are running a Cloudera Manager version earlier than 4.8.5, upgrade to Cloudera Manager 4.8.5

Apache Hadoop Distributed Cache Vulnerability

The Distributed Cache Vulnerability allows a malicious cluster user to expose private files owned by the user running the YARN NodeManager process. The malicious user can create a public tar archive containing a symbolic link to a local file on the node running the YARN NodeManager process.

Products affected: YARN in CDH 5.

Releases affected: All CDH and Cloudera Manager versions earlier than the versions listed below:
  • Cloudera Manager and CDH 5.2.1
  • Cloudera Manager and CDH 5.1.4
  • Cloudera Manager and CDH 5.0.5

Users affected: Users running the YARN NodeManager daemon with Kerberos authentication.

Severity: (Low/Medium/High): High.

Impact: Allows unauthorized disclosure of information.

CVE: CVE-2014-3627

Immediate action required:Upgrade CDH and Cloudera Manager as follows:
  • If you are running Cloudera Manager and CDH 5.2.0, upgrade to Cloudera Manager and CDH 5.2.1
  • If you are running Cloudera Manager and CDH 5.1.0 through 5.1.3, upgrade to Cloudera Manager and CDH 5.1.4
  • If you are running Cloudera Manager and CDH 5.0.0 through 5.0.4, upgrade to Cloudera Manager and CDH 5.0.5