Known Issues in Cloudera Manager 7.2.4
Known issues in CM 7.2.4.
- OPSAPS-58679 FIPS cluster install fails at Setup Database step.
-
Known Issue Description: When setting up a cluster with FIPS + Auto TLS + SSL Postgres enabled, when the Ranger service is added in Cloudera Manager using the Add Service wizard, the database test connection fails with the following error at the Setup Database step:
org.postgresql.util.PSQLException: SSL error: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints - OPSAPS-57584 FIPS compliance causes flood process to crash.
-
Known Issue Description: Configuring Cloudera Manager for FIPS compliance requires disabling the flood process.
- OPSAPS-59511 Cloudera Manager displays invalid services when adding role instances to the Cloudera Management Service.
- Known Issue DescriptionCloudera Manager displays the following invalid services when adding a role instance to the Cloudera Management Service: Navigator Audit Server and Navigator Metadata Server. Cloudera Manager also displays the following services that are already installed: Host Monitor, Reports Manager, Service Monitor, and Alert Publisher.
- OPSAPS-54299 – Installing Hive on Tez and HMS in the incorrect order causes HiveServer failure
- You need to install Hive on Tez and HMS in the correct order; otherwise, HiveServer fails. You need to install additional HiveServer roles to Hive on Tez, not the Hive service; otherwise, HiveServer fails. See Installing Hive on Tez for the correct procedures.
- OPSAPS-65189: Accessing Cloudera Manager through Knox displays the following error:
Bad Message 431 reason: Request Header Fields Too Large
Workaround: Modify the Cloudera Manager Server configuration /etc/default/cloudera-scm-server file to increase the header size from 8 KB, which is the default value, to 65 KB in the Java options as shown below:export CMF_JAVA_OPTS="...existing options... -Dcom.cloudera.server.cmf.WebServerImpl.HTTP_HEADER_SIZE_BYTES=65536 -Dcom.cloudera.server.cmf.WebServerImpl.HTTPS_HEADER_SIZE_BYTES=65536"
Technical Service Bulletins
- TSB 2021-488: Cloudera Manager is vulnerable to Cross-Site-Scripting attack
- Cloudera Manager may be vulnerable to Cross-Site-Scripting vulnerabilities identified by CVE-2021-29243 and CVE-2021-32482. A remote attacker can exploit this vulnerability and execute malicious code in the affected application.
- CVE
-
- CVE-2021-29243
- CVE-2021-32482
- Impact
- This is an XSS issue. An administrator could be tricked to click on a link that may expose certain information such as session cookies.
- Action required
-
-
- Upgrade (recommended)
- Upgrade to a version containing the fix.
-
- Workaround
- None
-
- Knowledge article
- For the latest update on this issue see the corresponding Knowledge article:
- TSB 2021-491: Authorization Bypass in Cloudera Manager (CVE-2021-30132/CVE-2021-32483
- Cloudera Manager (CM) 7.4.0 and earlier versions have incorrect Access Control in place for certain endpoints. A user who has a knowledge to the direct path of a resource or a URL to call a particular function, can access it without having the proper role granted. The vulnerable endpoints were CVE-2021-30132 /cmf/alerts/config?task= and CVE-2021-32483 /cmf/views/view?viewName=.
- CVE
-
- CVE-2021-30132
- Alerts config - 4.3 (Medium)
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CVE-2021-32483
- Views - 4.3 (Medium)
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CVE-2021-30132
- Impact
- A user with read only privilege is able to see configuration information in the UI.
- Action required
- Upgrade to a version containing the fix.
- Knowledge article
- For the latest update on this issue see the corresponding Knowledge article: TSB 2021-491: Authorization Bypass in Cloudera Manager (CVE-2021-30132 / CVE-2021-32483)
- TSB 2021-530: Local File Inclusion (LFI) Vulnerability in Navigator
- After successful user authentication to the Navigator Metadata Server and enabling dev mode of Navigator Metadata Server, local file inclusion can be performed through the Navigator’s embedded Solr web UI. All files can be accessed for reading which can be opened as cloudera-scm OS user. This is related to Apache Solr CVE-2020-13941.
- Impact
-
- Attackers can read files on the Navigator Metadata Server host with the OS user privileges running the Navigator Metadata Server.
- How to confirm the vulnerability
- Open
https://<navigator_host>:<navigator_port>/debugPlease check for Dev-mode status. To make the exploit work, dev-mode must be enabled. Please note that restarting the NMS automatically disables dev-mode.
- Open
- Action required
-
-
- Upgrade (recommended)
-
- Upgrade to Cloudera Manager 7.4.4 or higher
- Please contact Cloudera Support for patched version of Cloudera Manager 6.3.4
-
- Workaround
-
- For Cloudera Manager 6.x:
- Login to the Navigator Metadata Server host and edit these files:
/opt/cloudera/cm/cloudera-navigator-server/search-schema/solr/2900/nav_elements/conf/solrconfig.xml /opt/cloudera/cm/cloudera-navigator-server/search-schema/solr/2900/nav_relations/conf/solrconfig.xml - Remove the entry:
<requestHandler name="/replication" class="solr.ReplicationHandler" startup="lazy" />
- Login to the Navigator Metadata Server host and edit these files:
- For Cloudera Manager 5.x:
- Login to the Navigator Metadata Server host and edit these files:
/usr/share/cmf/cloudera-navigator-server/search-schema/solr/2900/nav_elements/conf/solrconfig.xml /usr/share/cmf/cloudera-navigator-server/search-schema/solr/2900/nav_relations/conf/solrconfig.xml - Remove the
entry:
<requestHandler name="/replication" class="solr.ReplicationHandler" startup="lazy" />
- Login to the Navigator Metadata Server host and edit these files:
- Restart Navigator Metadata Server
- This is a temporary solution and has to be followed-up with the recommended long term solution below.
- For Cloudera Manager 6.x:
-
- Knowledge article
- For the latest update on this issue see the corresponding Knowledge article:
TSB 2021-530: CVE-2021-30131 - Local File Inclusion (LFI) Vulnerability in Navigator
