Fixed Issues in Hue

Review the list of Hue issues that are resolved in Cloudera Runtime 7.1.7.

TSB-487: Cloudera Hue is vulnerable to Cross-Site Scripting attacks

Multiple Cross-Site Scripting (XSS) vulnerabilities of Cloudera Hue have been found. They allow JavaScript code injection and execution in the application context.

  • CVE-2021-29994 - The Add Description field in the Table schema browser does not sanitize user inputs as expected.

  • CVE-2021-32480 - Default Home direct button in Filebrowser is also susceptible to XSS attack.

  • CVE-2021-32481 - The Error snippet dialog of the Hue UI does not sanitize user inputs.

CVE
Releases affected
  • CDP Public Cloud 7.2.10 and lower

  • CDP Private Cloud Base 7.1.6 and lower

  • CDP Private Cloud Plus 1.2 and lower (NOTE: CDP Private Cloud Plus was renamed to CDP Private Cloud Experiences for version 1.2)

  • Cloudera Data Warehouse (DWX) 1.1.2-b1484 (CDH 7.2.11.0-59) or lower

  • CDH 6.3.4 and lower

Impact

Security Vulnerabilities as mentioned in the CVEs

Users affected

All users of the affected versions

Action required
Upgrade:
  • CDP Public Cloud users should upgrade to 7.2.11

  • CDP Private Cloud Base users should upgrade to CDP 7.1.7

  • CDP Private Cloud Plus users should upgrade to CDP PVC 1.3

  • Cloudera Data Warehouse users should upgrade to the latest version DWX1.1.2-b1793 & CDH 2021.0.1-b10

  • CDH users should request a patch

Workaround
There is no workaround.
Knowledge article
TSB 2021-487: Cloudera Hue is vulnerable to Cross-Site Scripting attacks (CVE-2021-29994, CVE-2021-32480, CVE-2021-32481)