Issues Fixed in Cloudera Data Science Workbench 1.3.1

The current release of Cloudera Data Science Workbench includes fixes for bugs.

Remote Command Execution and Information Disclosure in Cloudera Data Science Workbench

A configuration issue in Kubernetes used by Cloudera Data Science Workbench can allow remote command execution and privilege escalation in CDSW. A separate information permissions issue can cause the LDAP bind password to be exposed to authenticated CDSW users when LDAP bind search is enabled.

Products affected: Cloudera Data Science Workbench

Releases affected: Cloudera Data Science Workbench 1.3.0 (and lower)

Users affected: All users of Cloudera Data Science Workbench 1.3.0 (and lower)

Date/time of detection: May 16, 2018

Severity (Low/Medium/High): High

Impact: Remote command execution and information disclosure

CVE: CVE-2018-11215

Immediate action required: Upgrade to the latest version of Cloudera Data Science Workbench (1.3.1 or higher) and change the LDAP bind password if previously configured in Cloudera Data Science Workbench.

Addressed in release/refresh/patch: Cloudera Data Science Workbench 1.3.1 (and higher)

For the latest update on this issue see the corresponding Knowledge Base article:

TSB: 2018-313: Remote Command Execution and Information

Other Notable Fixed Issues in Cloudera Data Science Workbench 1.3.1

  • Fixed an issue where CSD installations would fail to recognize Oracle Linux 7.3 as a supported operating system.

    Cloudera Bug: DSE-3257

  • Fixed several usability issues (file create, save, and so on) with Internet Explorer 11.

    Cloudera Bug: DSE-3426, DSE-3434

  • Fixed a SAML 2.0 configuration issue where uploading the identity provider metadata XML file did not update identity provider signing certificate and/or SSO URL on Cloudera Data Science Workbench correctly.

    Cloudera Bug: DSE-3265

  • Fixed an issue where the owner of a console output could not view their own shared consoles from sessions /job runs when sharing with Specific user/team.

    Cloudera Bug: DSE-3143

  • Fixed issue with missing connectors in Jobs dependency chart.

    Cloudera Bug: DSE-3185