All Cloudera Product Issues

Privilege Escalation and Database Exposure in Cloudera Data Science Workbench

Several web application vulnerabilities allow malicious authenticated Cloudera Data Science Workbench (CDSW) users to escalate privileges in CDSW. In combination, such users can exploit these vulnerabilities to gain root access to CDSW nodes, gain access to the CDSW database which includes Kerberos keytabs of CDSW users and bcrypt hashed passwords, and obtain other privileged information such as session tokens, invitations tokens, and environmental variables.

Products affected: Cloudera Data Science Workbench

Releases affected:

Cloudera Data Science Workbench 1.0.0, 1.0.1, 1.1.0, 1.1.1

Users affected:

All users of Cloudera Data Science Workbench 1.0.0, 1.0.1, 1.1.0, 1.1.1

Date/time of detection: September 1, 2017

Detected by: NCC Group

Severity (Low/Medium/High): High

Impact: Privilege escalation and database exposure.

CVE: CVE-2017-15536

Immediate action required: Upgrade to the latest version of Cloudera Data Science Workbench.

Addressed in release/refresh/patch: Cloudera Data Science Workbench 1.2.0 or higher.

Access control issue on /desktop/api endpoints on Cloudera Hue

Cloudera Hue, as shipped with the releases affected below, allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete.

Products affected: Cloudera Hue

Releases affected:
  • CDH 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6
  • CDH 5.1.0, 5.1.2, 5.1.3, 5.1.4, 5.1.5
  • CDH 5.2.0, 5.2.1, 5.2.3, 5.2.4, 5.2.5, 5.2.6
  • CDH 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.7, 5.3.8, 5.3.9, 5.3.10
  • CDH 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11
  • CDH 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6
  • CDH 5.6.0, 5.6.1
  • CDH 5.7.0, 5.7.1, 5,7.3, 5.7.4, 5.7.5, 5.7.6
  • CDH 5.8.0, 5.8.1, 5.8.2
  • CDH 5.9.0

Users affected: All Cloudera Hue users

Date/time of detection: May 20, 2016

Severity (Low/Medium/High): Medium

Impact: An attacker can leverage this issue to harvest valid user accounts and attempt to use the accounts in brute-force attacks.

CVE: CVE-2016-4947

Immediate action required: Upgrade to any of the following releases, which resolve this issue.

Addressed in release/refresh/patch:
  • CDH 5.8.3 and higher
  • CDH 5.9.1 and higher
  • CDH 5.10.0 and higher

Apache YARN NodeManager Password Exposure

The YARN NodeManager in Apache Hadoop may leak the password for its credential store. This credential store is created by Cloudera Manager and contains sensitive information used by the NodeManager. Any container launched by that NodeManager can gain access to the password that protects the credential store.

Examples of sensitive information inside the credential store include a keystore password and an LDAP bind user password.

The credential store is also protected by Unix file permissions. When managed by Cloudera Manager, the credential store is readable only by the yarn user and the hadoop group. As a result, the scope of this leak is mitigated, making this a Low severity issue.

Products affected: YARN

Releases affected:
  • CDH 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.7, 5.4.8, 5.4.9, 5.4.10
  • CDH 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4
  • CDH 5.6.0, 5.6.1
  • CDH 5.7.0, 5.7.1, 5.7.2
  • CDH 5.8.0, 5.8.1

Users affected: Cloudera Manager users who configure YARN to connect to external services (such as LDAP) that require a password, or who have enabled TLS for YARN.

Date/time of detection: March 15, 2016

Detected by: Robert Kanter

Severity (Low/Medium/High): Low (The credential store itself has restrictive permissions.)

Impact: Potential sensitive data exposure

CVE: CVE-2016-3086

Immediate action required: Upgrade to a release in which this has been addressed or higher.

Addressed in release/refresh/patch: CDH 5.4.11, CDH 5.5.5, CDH 5.6.2, CDH 5.7.3, CDH 5.8.2

Read Access to Impala Views in queries with WHERE-clause Subqueries

Impala bypasses Sentry authorization for views if the query or the view itself contains a subquery in any WHERE clause. This gives read access to the views to any user that would otherwise have insufficient privileges.

The underlying base tables of views are unaffected. Queries that do not have subqueries in the WHERE clause are unaffected (unless the view itself contains such a subquery).

Other operations, like accessing the view definition or altering the view, are unaffected.

Products affected: Impala

Releases affected:
  • CDH 5.2.0 and higher
  • CDH 5.3.0 and higher
  • CDH 5.4.0 and higher
  • CDH 5.5.0 and higher
  • CDH 5.6.0, 5.6.1
  • CDH 5.7.0, 5.7.1, 5.7.2
  • CDH 5.8.0

Users affected: Users who run Impala + Sentry and use views

Date/time of detection: July 26, 2016

Severity (Low/Medium/High): High

Impact: Users can bypass Sentry authorization for Impala views.

CVE: CVE-2016-6605

Immediate action required: Upgrade to a CDH version containing the fix.

Addressed in release/refresh/patch: CDH 5.9.0 and higher, CDH 5.8.2 and higher, CDH 5.7.3 and higher

For the latest update on this issue see the corresponding Knowledge article:

Read Access to Impala Views in the Presence of WHERE-clause Subqueries

Apache Hadoop Privilege Escalation Vulnerability

A remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands as the hdfs user.

See CVE-2016-5393 Apache Hadoop Privilege escalation vulnerability

Products affected: HDFS and YARN

Releases affected: CDH 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6

CDH 5.1.0, 5.1.2, 5.1.3, 5.1.4, 5.1.5

CDH 5.2.0, 5.2.1, 5.2.3, 5.2.4, 5.2.5, 5.2.6

CDH 5.3.0, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.8, 5.3.9, 5.3.10

CDH 5.4.0, 5.4.1, 5.4.3, 5.4.4, 5.4.5, 5.4.7, 5.4.8, 5.4.9, 5.4.10

CDH 5.5.0, 5.5.1, 5.5.2, 5.5.4

CDH 5.6.0, 5.6.1

CDH 5.7.0, 5.7.1, 5.7.2

CDH 5.8.0

Users affected: All

Date/time of detection: July 26th, 2016

Severity (Low/Medium/High): High

Impact: A remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.

This vulnerability is critical because it is easy to exploit and compromises system-wide security. As a result, a remote user can potentially run any arbitrary command as the hdfs user. This bypasses all Hadoop security. There is no mitigation for this vulnerability.

CVE: CVE-2016-5393

Immediate action required: Upgrade immediately.

Addressed in release/refresh/patch: CDH 5.4.11, CDH 5.5.5, CDH 5.7.3, CDH 5.8.2, CDH 5.9.0 and higher.

Solr Queries by document id can bypass Sentry document-level security via the RealTimeGetHandler

Solr RealTimeGet queries with the id or ids parameters are not checked by Sentry document-level security in versions prior to CDH5.7.0. The id or ids parameters must be exact matches for document ids (wild-carding is not supported) and the document ids are not otherwise visible to users who are denied access by document-level security. However, a user with internal knowledge of the document id structure or who is able to guess document ids is able to access unauthorized documents. This issue is documented in SENTRY-989.

Products affected: Cloudera Search

Releases affected: All versions of CDH 5, except for those indicated in the Addressed in release/refresh/patch section below.

Users affected: Cloudera Search users implementing document-level security

Date/time of detection: December 17, 2015

Severity (Low/Medium/High): Medium

CVE: CVE-2016-6353

Immediate action required: Upgrade to CDH 5.7.0 or higher.

Addressed in release/refresh/patch: CDH 5.7.0 and higher.

Impala issued REVOKE ALL ON SERVER does not revoke all privileges

For Impala users that use Sentry for authorization, issuing a REVOKE ALL ON SERVER FROM <ROLE> statement does not remove all server-level privileges from the <ROLE>. Specifically, Sentry fails to revoke privileges that were issued to <ROLE> through a GRANT ALL ON SERVER TO <ROLE> statement. All other privileges are revoked, but <ROLE> still has ALL privileges at SERVER scope after the REVOKE ALL ON SERVER statement has been executed. The privileges are shown in the output of a SHOW GRANT statement.

Products affected: Impala, Sentry

Releases affected:

CDH 5.5.0, CDH 5.5.1, CDH 5.5.2, CDH 5.5.4

CDH 5.6.0, CDH 5.6.1

CDH 5.7.0

Users affected: Customers who use Sentry authorization in Impala

Date/time of detection: April 25, 2016

Severity (Low/Medium/High): Medium

Impact: Inability to revoke ALL SERVER privileges from a specific role using Impala if they have been granted through a GRANT ALL SERVER statement.

CVE: CVE-2016-4572

Immediate action required: If the affected role has ALL privileges on SERVER, you can remove these privileges by dropping and re-creating the role. Alternatively, upgrade to 5.7.1, or 5.8.0 or higher.

Addressed in release/refresh/patch: CDH 5.7.1, CDH 5.8.0 and higher.

Impala does not authorize authenticated Kerberos users who access internal APIs

In an Impala deployment secured with Kerberos, a malicious authenticated user can create a program that bypasses Impala and Sentry authorization mechanisms to issue internal API calls directly. That user can then query tables to which they should not have access, or alter table metadata.

Products affected: Impala

Releases affected: All versions of CDH 5, except for those indicated in the ‘Addressed in release/refresh/patch’ section below.

Users affected: All users of Impala and Sentry with Kerberos enabled.

Date/time of detection: February 4, 2016

Severity (Low/Medium/High): High

CVE: CVE-2016-3131

Immediate action required: Upgrade to most recent maintenance release.

Addressed in release/refresh/patch: CDH 5.3.10 and higher, 5.4.10 and higher, 5.5.4 and higher, 5.6.1 and higher, 5.7.0 and higher

Encrypted MapReduce spill data on the local file system is vulnerable to unauthorized disclosure

MapReduce spills intermediate data to the local disk. The encryption key used to encrypt this spill data is stored in clear text on the local filesystem along with the encrypted data itself. A malicious user with access to the file with these credentials can load the tokens from the file, read the key, and then decrypt the spill data.

See the upstream announcement on the Mitre site.

Products affected: MapReduce

Releases affected: CDH 5.2.0, CDH 5.2.1, CDH 5.2.3, CDH 5.2.4, CDH 5.2.5, CDH 5.2.6

CDH 5.3.0, CDH 5.3.2, CDH 5.3.3, CDH 5.3.4, CDH 5.3.5, CDH 5.3.6, CDH 5.3.8, CDH 5.3.9

CDH 5.4.0, CDH 5.4.1, CDH 5.4.3, CDH 5.4.4, CDH 5.4.5, CDH 5.4.7, CDH 5.4.8, CDH 5.4.9

CDH 5.5.0, CDH 5.5.1, CDH 5.5.2

Users affected: Users who have enabled encryption of MapReduce intermediate/spilled data to the local filesystem

Severity (Low/Medium/High): High

CVE: CVE-2015-1776

Addressed in release/refresh/patch: CDH 5.3.10, CDH 5.4.10, CDH 5.5.4; CDH 5.6.0 and higher

Immediate action required: Upgrade to one of the above releases if you use spill data encryption. This security fix causes MapReduce ApplicationMaster failures to not be tolerated when spill data is encrypted; post-upgrade, individual MapReduce jobs might fail if the ApplicationMaster goes down.

Hive built-in functions “reflect”, “reflect2”, and “java_method” not blocked by default in Sentry

Sentry does not block the execution of Hive built-in functions “reflect”, “reflect2”, and “java_method” by default in some CDH versions. These functions allow the execution of arbitrary user code, which is a security issue.

This issue is documented in SENTRY-960.

Products affected: Hive, Sentry

Releases affected:

CDH 5.4.0, CDH 5.4.1, CDH 5.4.2, CDH 5.4.3, CDH 5.4.4, CDH 5.4.5, CDH 5.4.6, CDH 5.4.7, CDH 5.4.8, CDH 5.5.0, CDH 5.5.1

Users affected: Users running Sentry with Hive.

Date/time of detection: November 13, 2015

Severity (Low/Medium/High): High

Impact: This potential vulnerability may enable an authenticated user to execute arbitrary code as a Hive superuser.

CVE: CVE-2016-0760

Immediate action required: Explicitly add the following to the blacklist property in hive-site.xml of Hive Server2:

 <property>
    <name>hive.server2.builtin.udf.blacklist</name>
    <value>reflect,reflect2,java_method </value>
  </property>
 

Addressed in release/refresh/patch: CDH 5.4.9, CDH 5.5.2, CDH 5.6.0 and higher

Apache Commons Collections Deserialization Vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Cloudera Products affected:Cloudera Manager, Cloudera Navigator, Cloudera Director, CDH

Releases affected:CDH 5.5.0, CDH 5.4.8 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower, Director 1.5.1 and lower

Users affected: All

Date/time of detection: Nov 7, 2015

Severity (Low/Medium/High): High

Impact: This potential vulnerability might enable an attacker to run arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to the latest suitable version containing this fix when it is available.

Addressed in release/refresh/patch: Beginning with CDH 5.5.1, 5.4.9, and 5.3.9, Cloudera Manager 5.5.1, 5.4.9, and 5.3.9, Cloudera Navigator 2.4.1, 2.3.9 and 2.2.9, and Director 1.5.2, the new Apache Commons Collections library version is included in all Cloudera products.

Heartbleed Vulnerability in OpenSSL

The Heartbleed vulnerability is a serious vulnerability in OpenSSL as described at http://heartbleed.com/ (OpenSSL TLS heartbeat read overrun, CVE-2014-0160). Cloudera products do not ship with OpenSSL, but some components use this library. Customers using OpenSSL with Cloudera products need to update their OpenSSL library to one that doesn’t contain the vulnerability.

Products affected:
  • All versions of OpenSSL 1.0.1 prior to 1.0.1g
Components affected:
  • Hadoop Pipes uses OpenSSL.
  • If SSL encryption is enabled for Impala's RPC implementation (by setting --ssl_server_certificate). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
  • If HTTPS is enabled for Impala’s debug web server pages (by setting --webserver_certificate_file). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
  • If HTTPS is used with Hue.
  • Cloudera Manager agents, with TLS turned on, will use OpenSSL.
Users affected:
  • All users of the above scenarios.

Severity: High (If using the scenarios above)

CVE: CVE-2014-0160

Immediate action required:
  • Ensure your Linux distribution version does not have the vulnerability.

“POODLE” Vulnerability on SSL/TLS enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, announced by Bodo Möller, Thai Duong, and Krzysztof Kotowicz at Google, forces the use of the obsolete SSLv3 protocol and then exploits a cryptographic flaw in SSLv3. The result is that an attacker on the same network as the victim can potentially decrypt parts of an otherwise encrypted channel.

SSLv3 has been obsolete, and known to have vulnerabilities, for many years now, but its retirement has been slow because of backward-compatibility concerns. SSLv3 has in the meantime been replaced by TLSv1, TLSv1.1, and TLSv1.2. Under normal circumstances, the strongest protocol version that both sides support is negotiated at the start of the connection. However, an attacker can introduce errors into this negotiation and force a fallback to the weakest protocol version -- SSLv3.

The only solution to the POODLE attack is to completely disable SSLv3. This requires changes across a wide variety of components of CDH, and in Cloudera Manager.

Products affected: Cloudera Manager and CDH.

Releases affected: All CDH and Cloudera Manager versions earlier than the versions listed below:
  • Cloudera Manager and CDH 5.2.1
  • Cloudera Manager and CDH 5.1.4
  • Cloudera Manager and CDH 5.0.5
  • CDH 4.7.1
  • Cloudera Manager 4.8.5

Users affected: All users

Date and time of detection: October 14th, 2014.

Severity: (Low/Medium/High): Medium. NIST rates the severity at 4.3 out of 10 .

Impact: Allows unauthorized disclosure of information; allows component impersonation.

CVE: CVE-2014-3566

Immediate action required:Upgrade CDH and Cloudera Manager as follows:
  • If you are running Cloudera Manager and CDH 5.2.0, upgrade to Cloudera Manager and CDH 5.2.1
  • If you are running Cloudera Manager and CDH 5.1.0 through 5.1.3, upgrade to Cloudera Manager and CDH 5.1.4
  • If you are running Cloudera Manager and CDH 5.0.0 through 5.0.4, upgrade to Cloudera Manager and CDH 5.0.5
  • If you are running a CDH version earlier than 4.7.1, upgrade to CDH 4.7.1
  • If you are running a Cloudera Manager version earlier than 4.8.5, upgrade to Cloudera Manager 4.8.5

Apache Hadoop Distributed Cache Vulnerability

The Distributed Cache Vulnerability allows a malicious cluster user to expose private files owned by the user running the YARN NodeManager process. The malicious user can create a public tar archive containing a symbolic link to a local file on the host running the YARN NodeManager process.

Products affected: YARN in CDH 5.

Releases affected: All CDH and Cloudera Manager versions earlier than the versions listed below:
  • Cloudera Manager and CDH 5.2.1
  • Cloudera Manager and CDH 5.1.4
  • Cloudera Manager and CDH 5.0.5

Users affected: Users running the YARN NodeManager daemon with Kerberos authentication.

Severity: (Low/Medium/High): High.

Impact: Allows unauthorized disclosure of information.

CVE: CVE-2014-3627

Immediate action required:Upgrade CDH and Cloudera Manager as follows:
  • If you are running Cloudera Manager and CDH 5.2.0, upgrade to Cloudera Manager and CDH 5.2.1
  • If you are running Cloudera Manager and CDH 5.1.0 through 5.1.3, upgrade to Cloudera Manager and CDH 5.1.4
  • If you are running Cloudera Manager and CDH 5.0.0 through 5.0.4, upgrade to Cloudera Manager and CDH 5.0.5

Hue Document Privilege Escalation

A user with read-only access to a document in Hue can grant oneself write access to that document, and change that document’s privileges for other users. If the document is a Hive, Impala, or Oozie job, the user can inject arbitrary code that runs with the permissions of the next user that runs the job.

Products affected: Hue

Releases affected: CDH 5.0.0, CDH 5.0.1, CDH 5.0.2, CDH 5.0.3, CDH 5.0.4, CDH 5.0.5, CDH 5.0.6CDH 5.1.0, CDH 5.1.2, CDH 5.1.3, CDH 5.1.4, CDH 5.1.5CDH 5.2.0, CDH 5.2.1, CDH 5.2.3, CDH 5.2.4, CDH 5.2.5, CDH 5.2.6CDH 5.3.0, CDH 5.3.2, CDH 5.3.3, CDH 5.3.4, CDH 5.3.5, CDH 5.3.6, CDH 5.3.8, CDH 5.3.9 CDH 5.4.0, CDH 5.4.1, CDH 5.4.3, CDH 5.4.4, CDH 5.4.5, CDH 5.4.7, CDH 5.4.8

Users affected: Customers using Hue

Date/time of detection: October 9, 2015

Severity (Low/Medium/High): Medium

Impact: Malicious users may be able to run arbitrary code with the permissions of another user.

CVE: CVE-2015-7831

Immediate action required: Upgrade to CDH 5.4.9 or CDH 5.5.0.

Addressed in release/refresh/patch: CDH 5.4.9 or CDH 5.5.0