6. Common Vulnerabilities and Exposures

HDP 2.2.8 provides fixes for the following information-security vulnerabilities and exposures (CVEs):

  • CVE-2014-0227: Apache - Tomcat - HTTP Request Smuggling Issue

    Severity: Important

    Vendor: Hortonworks

    Versions Affected: All HDP 2.2.x releases prior to 2.2.8

    Users Affected: Users who use HttpFS, Hadoop KMS, Hadoop Auth, and Oozie.

    Impact: See BUG-41101 and HADOOP-12232. Allows unauthorized modification; Allows disruption of service. java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

    Recommended Action: Upgrade to HDP 2.2.8.

  • CVE-2015-5167: Restrict REST API data access for non-admin users

    Severity: Important

    Vendor: Hortonworks

    Versions Affected: All HDP 2.2.x releases prior to 2.2.8

    Users Affected: All users of Ranger Policy Admin tool.

    Impact: See BUG-41603 and RANGER-630. Data access restrictions via REST API are not consistent with restrictions in policy admin UI. Non-admin users can access some ranger data restricted for admin users by calling REST API.

    Recommended Action: Upgrade to HDP 2.2.8+.

  • CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability

    Severity: Important

    Vendor: Hortonworks

    Versions Affected: All HDP 2.2.x releases prior to 2.2.8

    Users Affected: Users who use HBase in secure environments are affected by a logic error caused HBase in most secure configuration deployments to handle its coordination state in ZooKeeper via insecure ACLs. Providing inappropriate access by any user with authenticated access to the network.

    Impact: See BUG-38465 and HBASE-13768. Inappropriate access by any user with authenticated access to the network.

    Recommended Action: HBase users should update to the latest hotfix release of their respective version (e.g. HDP-2.2.8.0, HDP-2.3.0.0) to ensure newly written coordination information has the correct ACLs.