Protocol and then exploits a cryptographic flaw in SSLv3. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, announced by Bodo Möller, Thai Duong, and Krzysztof Kotowicz at Google, forces the use of the obsolete SSLv3 Immediate action required: Upgrade to the latest suitable version containing this fix when it is available.Īddressed in release/refresh/patch: Beginning with CDH 5.5.1, 5.4.9, and 5.3.9, Cloudera Manager 5.5.1, 5.4.9, and 5.3.9, Cloudera Navigator 2.4.1, 2.3.9Īnd 2.2.9, and Director 1.5.2, the new Apache Commons Collections library version is included in all Cloudera products. Impact: This potential vulnerability might enable an attacker to run arbitrary code from a remote machine without requiring authentication. Releases affected:CDH 5.5.0, CDH 5.4.8 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Navigator 2.4.0, Cloudera NavigatorĢ.3.8 and lower, Director 1.5.1 and lower CERT has issued Vulnerability Note #576313 for this issue.Ĭloudera Products affected:Cloudera Manager, Cloudera Navigator, Cloudera Director, CDH MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. One example of this is tracked by HADOOP-12577. This will require coordination with the projects in the Apache community. In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products. Library is also in widespread use beyond the Hadoop ecosystem. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. Apache Commons Collections Deserialization VulnerabilityĬloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. Immediate action required: Upgrade to Cloudera CDH and Enterprise Editions 5.9Īddressed in release/refresh/patch: Cloudera CDH and Enterprise Editions 5.9 and higherįor updates about this issue, see the Cloudera Knowledge article, TSB 2016-166: Potentially Sensitive Information in Cloudera Diagnostic Support Bundles. Impact: Possible logging and transmission of sensitive data Releases affected: All Cloudera CDH and Enterprise Edition releases lower than 5.9.0 Products affected: Cloudera CDH and Enterprise Editions Cloudera continually reviews and improves security practices, infrastructure, and Also see Sensitive Data Redaction in the Cloudera Security Guide for more information about bundles and redaction.Ĭloudera strives to establish and follow best practices for the protection of customer information. Information (scroll to Diagnostic Bundles). See Cloudera Manager Release Notes, specifically, What's New in Cloudera Manager 5.9.0 for more Logging and output of known potentially sensitive properties and configurations. Work is in progress in Cloudera CDH components to remove This sensitive data cannot be used by Cloudera for anyĬloudera has modified Cloudera Manager so that known sensitive data is redacted from the bundles before transmission to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technicalĬloudera support discovered that potentially sensitive data may be included in diagnostic bundles and transmitted to Cloudera. Cloudera Manager transmits certain diagnostic data (or "bundles") to Cloudera.
0 Comments
Leave a Reply. |