The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack forces the use of the obsolete SSLv3 protocol and then exploits a cryptographic flaw in SSLv3. The only solution is to disable SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager in all current versions. CDH 5.1.4 provides these changes for CDH 5.1.x deployments. For more information, see the Cloudera Security Bulletin.

CDH 5.1.4 also fixes the following issues:

• DATAFU-68 - SampleByKey can throw NullPointerException
• HADOOP-11243 - SSLFactory shouldn't allow SSLv3
• HADOOP-11156 - DelegateToFileSystem should implement getFsStatus(final Path f).
• HDFS-7391 - Reenable SSLv2Hello in HttpFS
• HDFS-7235 - DataNode#transferBlock should report blocks that don't exist using reportBadBlock
• HDFS-7274 - Disable SSLv3 in HttpFS
• HDFS-7005 - DFS input streams do not timeout
• HDFS-6376 - Distcp data between two HA clusters requires another configuration
• HDFS-6621 - Hadoop Balancer prematurely exits iterations
• YARN-2273 - NPE in ContinuousScheduling thread when we lose a node
• YARN-2566 - DefaultContainerExecutor should pick a working directory randomly
• YARN-2588 - Standby RM does not transitionToActive if previous transitionToActive is failed with ZK exception.
• YARN-2641 - Decommission nodes on -refreshNodes instead of next NM-RM heartbeat
• YARN-2608 - FairScheduler: Potential deadlocks in loading alloc files and clock access
• HBASE-12376 - HBaseAdmin leaks ZK connections if failure starting watchers (ConnectionLossException)
• HBASE-12366 - Add login code to HBase Canary tool
• HBASE-12098 - User granted namespace table create permissions can'apos;t create a table
• HBASE-12087 - [0.98] Changing the default setting of hbase.security.access.early_out to true
• HBASE-11896 - LoadIncrementalHFiles fails in secure mode if the namespace is specified
• HBASE-12054 - bad state after NamespaceUpgrade with reserved table names
• HBASE-12460 - Moving Chore to hbase-common module
• HIVE-5643 - ZooKeeperHiveLockManager.getQuorumServers incorrectly appends the custom zk port to quorum hosts
• HIVE-8675 - Increase thrift server protocol test coverage
• HIVE-8827 - Remove SSLv2Hello from list of disabled protocols protocols
• HIVE-8182 - beeline fails when executing multiple-line queries with trailing spaces
• HIVE-8330 - HiveResultSet.findColumn() parameters are case sensitive
• HIVE-5994 - ORC RLEv2 encodes wrongly for large negative BIGINTs (64 bits )
• HIVE-7629 - Problem in SMB Joins between two Parquet tables
• HIVE-6670 - ClassNotFound with Serde
• HIVE-6409 - FileOutputCommitterContainer::commitJob() cancels delegation tokens too early.
• HIVE-7647 - Beeline does not honor --headerInterval and --color when executing with \
• HIVE-7441 - Custom partition scheme gets rewritten with hive scheme upon concatenate
• HIVE-5871 - Use multiple-characters as field delimiter
• HIVE-1363 - SHOW TABLE EXTENDED LIKE command does not strip single/double quotes
• HIVE-5989 - Hive metastore authorization check is not threadsafe
• HUE-2438 - [core] Disable SSLv3 for Poodle vulnerability
• HUE-2291 - [oozie] Faster dashboard display
• IMPALA-1334 - Impala does not map principals to lowercase, affecting Sentry authorisation
• IMPALA-1251 - High-offset queries hang
• IMPALA-1338 - HDFS does not return all ACLs in getAclStatus()
• IMPALA-1279 - Impala does not employ ACLs when checking path permissions for LOAD and INSERT
• OOZIE-2034 - Disable SSLv3 (POODLEbleed vulnerability)
• OOZIE-2063 - Cron syntax creates duplicate actions
• SENTRY-428 - Sentry service should periodically renew the server kerberos ticket
• SENTRY-431 - Sentry db provider client should attempt to refresh kerberos ticket before connection
• SPARK-3606 - Spark-on-Yarn AmIpFilter does not work with Yarn HA