Cloudera Manager Issues

Sensitive data of processes managed by Cloudera Manager are not secured by file permissions

Products affected: Cloudera Manager

Releases affected: 5.9.2, 5.10.1, 5.11.0

Users affected: All users of Cloudera Manager on 5.9.2, 5.10.1, 5.11.0

Severity (Low/Medium/High): High

Impact: Sensitive data (such as passwords) might be exposed to users with direct access to cluster hosts due to overly-permissive local file system permissions for certain files created by Cloudera Manager.

The password is also visible in the Cloudera Manager Admin Console in the configuration files for the Spark History Server process.

CVE: CVE-2017-9327

Immediate action required: Upgrade Cloudera Manager to 5.9.3, 5.10.2, 5.11.1, 5.12.0 or higher

Addressed in release/refresh/patch: Cloudera Manager 5.9.3, 5.10.2, 5.11.1, 5.12.0 or higher

Local Script Injection Vulnerability In Cloudera Manager

There is a script injection vulnerability in Cloudera Manager’s help search box. The user of Cloudera Manager can enter a script but there is no way for an attacker to inject a script externally. Furthermore, the script entered into the search box has to actually return valid search results for the script to execute.

Products affected: Cloudera Manager

Releases affected:
  • Cloudera Manager 5.0.0, 5.0.1, 5.0.2, 5.0.5, 5.0.6, 5.0.7
  • Cloudera Manager 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6
  • Cloudera Manager 5.2.0, 5.2.1, 5.2.2, 5.2.4, 5.2.5, 5.2.6, 5.2.7
  • Cloudera Manager 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10
  • Cloudera Manager 5.4.0, 5.4.1, 5.4.3, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10
  • Cloudera Manager 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.6
  • Cloudera Manager 5.6.0, 5.6.1
  • Cloudera Manager 5.7.0, 5.7.1, 5.7.2, 5.7.4, 5.7.5
  • Cloudera Manager 5.8.0, 5.8.1, 5.8.2, 5.8.3
  • Cloudera Manager 5.9.0

Users affected: All Cloudera Manager users

Date/time of detection: November 10th, 2016

Severity (Low/Medium/High): Low

Impact: Possible override of client-side JavaScript controls.

CVE: CVE-2016-9271

Immediate action required: Upgrade to one of the releases below

Addressed in release/refresh/patch:
  • Cloudera Manager 5.7.6 and higher
  • Cloudera Manager 5.8.4 and higher
  • Cloudera Manager 5.9.1 and higher
  • Cloudera Manager 5.10.0 and higher

Keystore password for Spark History Server not properly secured

Products affected: Cloudera Manager

Releases affected: 5.11.0

Users affected: All users with TLS enabled for the Spark History Server.

Date/time of detection: April 18, 2017

Severity (Low/Medium/High): Medium

Impact: The keystore password for the Spark History Server is exposed in a world-readable file on the machine running the Spark History Server. The keystore file itself is not exposed.

The password is also visible in the Cloudera Manager Admin Console in the configuration files for the Spark History Server process.

CVE: CVE-2017-9326

Immediate action required: Upgrade to Cloudera Manager 5.11.1.

Addressed in release/refresh/patch: 5.11.1 or higher.

For the latest update on this issue see the Cloudera Knowledge article, TSB 2017-237: Keystore password for the Spark History Server not properly secured.

Local Script Injection Vulnerability In Cloudera Manager

There is a script injection vulnerability in Cloudera Manager’s help search box. The user of Cloudera Manager can enter a script but there is no way for an attacker to inject a script externally. Furthermore, the script entered into the search box has to actually return valid search results for the script to execute.

Products affected: Cloudera Manager

Releases affected:
  • Cloudera Manager 5.0.0, 5.0.1, 5.0.2, 5.0.5, 5.0.6, 5.0.7
  • Cloudera Manager 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6
  • Cloudera Manager 5.2.0, 5.2.1, 5.2.2, 5.2.4, 5.2.5, 5.2.6, 5.2.7
  • Cloudera Manager 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10
  • Cloudera Manager 5.4.0, 5.4.1, 5.4.3, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10
  • Cloudera Manager 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.6
  • Cloudera Manager 5.6.0, 5.6.1
  • Cloudera Manager 5.7.0, 5.7.1, 5.7.2, 5.7.4, 5.7.5
  • Cloudera Manager 5.8.0, 5.8.1, 5.8.2, 5.8.3
  • Cloudera Manager 5.9.0

Users affected: All Cloudera Manager users

Date/time of detection: November 10th, 2016

Severity (Low/Medium/High): Low

Impact: Possible override of client-side JavaScript controls.

CVE: CVE-2016-9271

Immediate action required: Upgrade to one of the releases below

Addressed in release/refresh/patch:
  • Cloudera Manager 5.7.6 and higher
  • Cloudera Manager 5.8.4 and higher
  • Cloudera Manager 5.9.1 and higher
  • Cloudera Manager 5.10.0 and higher

Potentially Sensitive Information in Cloudera Diagnostic Support Bundles

Cloudera Manager transmits certain diagnostic data (or "bundles") to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for customers.

Cloudera support discovered that potentially sensitive data may be included in diagnostic bundles and transmitted to Cloudera. This sensitive data cannot be used by Cloudera for any purpose.

Cloudera has modified Cloudera Manager so that known sensitive data is redacted from the bundles before transmission to Cloudera. Work is in progress in Cloudera CDH components to remove logging and output of known potentially sensitive properties and configurations.

See Cloudera Manager Release Notes, specifically, What's New in Cloudera Manager 5.9.0 for more information (scroll to Diagnostic Bundles). Also see Sensitive Data Redaction in the Cloudera Security Guide for more information about bundles and redaction.

Cloudera strives to establish and follow best practices for the protection of customer information. Cloudera continually reviews and improves security practices, infrastructure, and data-handling policies.

Products affected: Cloudera CDH and Enterprise Editions

Releases affected: All Cloudera CDH and Enterprise Edition releases lower than 5.9.0

Users affected: All users

Date/time of detection: June 20th, 2016

Severity (Low/Medium/High): Medium

Impact: Possible logging and transmission of sensitive data

CVE: CVE-2016-5724

Immediate action required: Upgrade to Cloudera CDH and Enterprise Editions 5.9

Addressed in release/refresh/patch: Cloudera CDH and Enterprise Editions 5.9 and higher

For updates about this issue, see the Cloudera Knowledge article, TSB 2016-166: Potentially Sensitive Information in Cloudera Diagnostic Support Bundles.

Cross Site Scripting (XSS) Vulnerability in Cloudera Manager

Several pages in the Cloudera Manager UI are vulnerable to a XSS attack.

Products affected: Cloudera Manager

Releases affected: All versions of Cloudera Manager 5 except for those indicated in the ‘Addressed in release/refresh/patch’ section below.

Users affected: All customers who use Cloudera Manager.

Date/time of detection: May 19, 2016

Detected by: Solucom Advisory

Severity (Low/Medium/High): High

Impact: A XSS vulnerability can be used by an attacker to perform malicious actions. One probable form of attack is to steal the credentials for a victim Cloudera Manager account.

CVE: CVE-2016-4948

Immediate action required: Upgrade Cloudera Manager to version 5.7.2 or higher or 5.8.x

Addressed in release/refresh/patch: Cloudera Manager 5.7.2 and higher and 5.8.x.

Sensitive Data Exposed in Plain-Text Readable Files

Cloudera Manager Agent stores configuration information in various configuration files that are world-readable. Some of this configuration information may involve sensitive user data, including credentials values used for authentication with other services. These files are located in /var/run/cloudera-scm-agent/supervisor/include on every host. Cloudera Manager passes information such as credentials to Hadoop processes it manages via environment variables, which are written in configuration files in this directory.

Additionally, the response from Cloudera Manager Server to heartbeat messages sent by the Cloudera Manager Agent is stored in a world-readable file (/var/lib/cloudera-scm-agent/response.avro) on every host. This file may contain sensitive data.

These files and directories have been restricted to being readable only by the user running Cloudera Manager Agent, which by default is root.

Products affected: Cloudera Manager

Releases affected: All versions of Cloudera Manager 5, except for those indicated in the Addressed in release/refresh/patch section below.

Users affected: All users of Cloudera Manager using the releases affected above.

Date/time of detection: March 16, 2016

Severity (Low/Medium/High): High

Impact: An unauthorized user that gains access to an affected system may be able to leverage that access to subsequently authenticate with other services.

CVE: CVE-2016-3192

Immediate action required:

  • Upgrade Cloudera Manager to one of the maintenance releases indicated below.
  • Regenerate Kerberos principals used by all the services in the cluster.
  • Regenerate SSL keystores used by all the services in the cluster, with a new password.
  • If you are using a version of Cloudera Manager lower than 5.5.0, change the database passwords for all the CDH services, wherever applicable.

Addressed in release/refresh/patch: Cloudera Manager 5.5.4 and higher, 5.6.1 and higher, 5.7.1 and higher

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or "bundles") to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as "advanced configuration snippets (ACS)" (formerly called "safety valves") to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions:

  1. modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and
  2. modified Cloudera Manager SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Products affected: Cloudera Manager

Releases affected:
  • All Cloudera Manager releases prior to 4.8.6
  • Cloudera Manager 5.0.x prior to Cloudera Manager 5.0.7
  • Cloudera Manager 5.1.x prior to Cloudera Manager 5.1.6
  • Cloudera Manager 5.2.x prior to Cloudera Manager 5.2.7
  • Cloudera Manager 5.3.x prior to Cloudera Manager 5.3.7
  • Cloudera Manager 5.4.x prior to Cloudera Manager 5.4.6

Users affected: Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required: Upgrade Cloudera Manager to one of the releases listed below.

ETA for resolution: September 1st, 2015

Addressed in release/refresh/patch:
  • Cloudera Manager 4.8.6
  • Cloudera Manager 5.0.7
  • Cloudera Manager 5.1.6
  • Cloudera Manager 5.2.7
  • Cloudera Manager 5.3.7
  • Cloudera Manager 5.4.6

Cross Site Scripting Vulnerabilities in Cloudera Manager

Multiple cross-site scripting (XSS) vulnerabilities in the Cloudera Manager UI before version 5.4.3 allow remote attackers to inject arbitrary web script or HTML using unspecified vectors. Authentication to Cloudera Manager is required to exploit these vulnerabilities.

Products affected: Cloudera Manager

Releases affected: All releases prior to 5.4.3

Users affected: All Cloudera Manager users

Date/time of detection: May 8th, 2015

Severity: (Low/Medium/High) Medium

Impact: Allows unauthorized modification.

CVE: CVE-2015-4457

Immediate action required: Upgrade to Cloudera Manager 5.4.3.

Addressed in release/refresh/patch: Cloudera Manager 5.4.3

Cloudera Manager exposes sensitive data

In the Cloudera Manager 5.2 release, the LDAP bind password was erroneously marked such that it would be written to the world-readable files in /etc/hadoop, in addition to the more private files in /var/run. Thus, any user on any host of a Cloudera Manager managed cluster could read the LDAP bind password.

The fix to this issue removes the LDAP bind password from the files in /etc/hadoop; it is only written to configuration files in /var/run. Those files are owned by and only readable by the appropriate service.

Cloudera Manager writes configuration parameters to several locations. Each service gets every parameter that it requires in a directory in /var/run, and the files in those directories are not world-readable. Clients (for example, the “hdfs” command) obtain their configuration parameters from files in /etc/hadoop. The files in /etc/hadoop are world-readable. Cloudera Manager keeps track of where each configuration parameter is to be written so as to expose each parameter only in the location where it is required.

Products affected: Cloudera Manager

Releases affected: Cloudera Manager 5.2.0, Cloudera Manager 5.2.1, Cloudera Manager 5.3.0

Users Affected: All users

Date/time of detection: December 30, 2014

Severity: High

Impact: Exposure of sensitive data

CVE: CVE-2014-8733

Immediate action required: Upgrade to Cloudera Manager 5.2.2 or higher, or Cloudera Manager 5.3.1 or higher.

Sensitive configuration values exposed in Cloudera Manager

Certain configuration values that are stored in Cloudera Manager are considered "sensitive", such as database passwords. These configuration values are expected to be inaccessible to non-admin users, and this is enforced in the Cloudera Manager Admin Console. However, these configuration values are not redacted when reading them through the API, possibly making them accessible to users who should not have such access.

Products affected: Cloudera Manager

Releases affected: Cloudera Manager 4.8.2 and lower, Cloudera Manager 5.0.0

Users Affected: Cloudera Manager installations with non-admin users

Date/time of detection: May 7, 2014

Severity: High

Impact: Through the API only, non-admin users can access potentially sensitive configuration information

CVE: CVE-2014-0220

Immediate action required: Upgrade to Cloudera Manager 4.8.3 or Cloudera Manager 5.0.1 or disable non-admin users if you do not want them to have this access.

ETA for resolution: May 13, 2014

Addressed in release/refresh/patch: Cloudera Manager 4.8.3 and Cloudera Manager 5.0.1

Cloudera Manager installs taskcontroller.cfg in insecure mode

Products affected: Cloudera Manager and Service and Configuration Manager

Releases affected: Cloudera Manager 3.7.0-3.7.4, Service and Configuration Manager 3.5 (in certain cases)

Users affected: Users on multi-user systems who have not enabled Hadoop Kerberos features. Users using the Hadoop security features are not affected.

Severity: Critical

Impact: Vulnerability allows a malicious user to impersonate other users on the systems running the Hadoop cluster.

Immediate action required: Upgrade to Cloudera Manager 3.7.5 and subsequently restart the MapReduce service.

Workarounds are available: Any of these workarounds is sufficient.

  • For CM 3.7.x (Enterprise Edition), edit the configuration "Minimum user ID for job submission" to a number higher than any UIDs on the system. 65535 is the largest value that Cloudera Manager will accept, and is typically sufficient. Restart the MapReduce service. To find the current maximum UID on your system, run
getent passwd | awk -F: '{ if ($3 > max) { max = $3; name = $1 } } END { print name, max }' 
  • For CM 3.7.x Free Edition, remove the file/usr/lib/hadoop-0.20/sbin/Linux-amd64-64/task-controller. This file is part of the hadoop-0.20-sbin package and is re-installed by upgrades.
  • For SCM 3.5, if the cluster has been run in both secure and non-secure configurations, remove /etc/hadoop/conf/taskcontroller.cfg from all TaskTrackers. Repeat this in the future if you reconfigure the cluster from a Kerberized to a non-Kerberized configuration.

Resolution: Mar 27, 2012

Addressed in release/refresh/patch: Cloudera Manager 3.7.5

Verification: Verify that, in non-secure clusters,/etc/hadoop/conf/taskcontroller.cfg is unconfigured on all TaskTrackers. (A file with only lines starting with # is unconfigured.)

If you are a Cloudera Enterprise customer and have further questions or need assistance, log a ticket with Cloudera Support through http://support.cloudera.com.

Two links in the Cloudera Manager Admin Console allow read-only access to arbitrary files on managed hosts.

Products affected: Cloudera Manager

Releases affected: Cloudera Manager 3.7.0 through 3.7.6, 4.0.0 (beta), and 4.0.1 (GA)

Users affected: All Cloudera Manager Users

Date vulnerability discovered: June 6, 2012

Date vulnerability analysis and validation complete: June 15, 2012

Severity: Medium

Impact: Any user, including non-admin users, logged in to the Cloudera Manager Admin Console can access any file on any host managed by Cloudera Manager.

Immediate action required:

Solution:

Upgrade to Cloudera Manager or Cloudera Manager Free Edition, version 3.7.7 or higher, or version 4.0.2 or higher.

Work Around:

If immediate upgrade is not possible, disable non-admin user access to Cloudera Manager to limit the vulnerability to Cloudera Manager admins.

Resolution: June 25th

Addressed in release/refresh/patch: Cloudera Manager or Cloudera Manager Free Edition 3.7.7 or higher and 4.0.2 or higher.

Verification: Check the Cloudera Manager version number in the Help > About

If you are a Cloudera Enterprise customer and have further questions or need assistance, log a ticket with Cloudera Support at http://support.cloudera.com.