Fixed Issues in CDH 6.1.1

Hue allows unsigned SAML assertions

If Hue receives an unsigned assertion, it continues to process it as valid. This means it is possible for an end-user to forge or remove the signature and manipulate a SAML assertion to gain access without a successful authentication.

Products affected: Hue, CDH

Releases affected:
  • CDH 5.15.x and earlier
  • CDH 5.16.0, 5.16.1
  • CDH 6.0.x
  • CDH 6.1.x

User affected: All users who are using SAML with Hue.

CVE: CVE-2019-14775

Date/time of detection: January 2019

Detected by: Joel Snape

Severity (Low/Medium/High): High

Impact:

This is a significant security risk as it allows anyone to fake their access validity and therefore access Hue, even if they should not have access. In more detail: if Hue receives an unsigned assertion, it continues to process it as valid. This means it is possible for an end-user to forge or remove the signature and manipulate a SAML assertion to gain access without a successful authentication.

CVE: CVE-2019-14775

Immediate action required:
  • Upgrade (recommended): Upgrade to a version of CDH containing the fix.
  • Workaround: None
Addressed in release/refresh/patch:
  • CDH 5.16.2
  • CDH 6.2.0

XSS Cloudera Manager

Malicious Impala queries can result in Cross Site Scripting (XSS) when viewed in Cloudera Manager.

Products affected: Apache Impala

Releases affected:
  • Cloudera Manager 5.13.x, 5.14.x, 5.15.1, 5.15.2, 5.16.1
  • Cloudera Manager 6.0.0, 6.0.1, 6.1.0

Users affected: All Cloudera Manager Users

Date/time of detection: November 2018

Severity (Low/Medium/High): High

Impact: When a malicious user generates a piece of JavaScript in the impala-shell and then goes to the Queries tab of the Impala service in Cloudera Manager, that piece of JavaScript code gets evaluated, resulting in an XSS.

CVE: CVE-2019-14449

Immediate action required: There is no workaround, upgrade to the latest available maintenance release.

Addressed in release/refresh/patch:
  • Cloudera Manager 5.16.2
  • Cloudera Manager 6.0.2, 6.1.1, 6.2.0, 6.3.0

CVE-2018-1296 Permissive Apache Hadoop HDFS listXAttr Authorization Exposes Extended Attribute Key/Value Pairs

AHDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

Products affected: Apache HDFS

Releases affected:
  • CDH 5.4.0 - 5.15.1, 5.16.0
  • CDH 6.0.0, 6.0.1, 6.1.0

Users affected: Users who store sensitive data in extended attributes, such as users of HDFS encryption.

Date/time of detection: Dcember 12, 2017

Detected by: Rushabh Shah, Yahoo! Inc., Hadoop committer

Severity (Low/Medium/High): Medium

Impact: HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. This affects features that store sensitive data in extended attributes.

CVE: CVE-2018-1296

Immediate action required:
  • Upgrade: Update to a version of CDH containing the fix.
  • Workaround: If a file contains sensitive data in extended attributes, users and admins need to change the permission to prevent others from listing the directory that contains the file.
Addressed in release/refresh/patch:
  • CDH 5.15.2, 5.16.1
  • CDH 6.1.1, 6.2.0

The Standby Resource Manager redirects /jmx and /metrics requests to the Active Resource Manager.

When ResourceManager high availability is enabled the Standby Resource Manager redirects /jmx and /metrics requests to the Active Resource Manager. This causes the following issues in Cloudera Manager:
  • If Enable Kerberos Authentication for HTTP Web-Console is disabled: Cloudera Manager shows statistics for the wrong server.
  • If Enable Kerberos Authentication for HTTP Web-Console is enabled: connection from the agent to the standby fails with the HTTPError: HTTP Error 401: Authentication required error message. As a result, the health of the Standby Resource Manager will become bad.

Workaround: N/A

Affected Versions: CDH 6.0.x, CDH 6.1.0

Fixed Version: CDH 6.1.1

Cloudera Issue: CDH-76040

Hadoop LdapGroupsMapping does not support LDAPS for self-signed LDAP server

Hadoop LdapGroupsMapping does not work with LDAP over SSL (LDAPS) if the LDAP server certificate is self-signed. This use case is currently not supported even if Hadoop User Group Mapping LDAP TLS/SSL Enabled, Hadoop User Group Mapping LDAP TLS/SSL Truststore, and Hadoop User Group Mapping LDAP TLS/SSL Truststore Password are filled properly.

Affected Versions: CDH 5.x and 6.0.x versions

Fixed Versions: CDH 6.1.0

Apache Issue: HADOOP-12862

Cloudera Issue: CDH-37926

Upstream Issues Fixed

See below for issues fixed in CDH 6.1.1, grouped by component:

Apache Accumulo

There are no notable fixed issues in this release.

Apache Avro

There are no notable fixed issues in this release.

Apache Crunch

There are no notable fixed issues in this release.

Apache Flume

There are no notable fixed issues in this release.

Apache Hadoop

HDFS

The following issues are fixed in CDH 6.1.1:

  • HADOOP-15717 - Fixed an issue where an IOException related to tgt.getEndTime() was not correctly logged.
  • HADOOP-15823 - Fixed an issue with ALDS Gen2 (ABFS) that required the user to configure the client ID and tenant ID for MSI.
  • HADOOP-15973 - Fixed an issue where configuration resources are not cached if they are a stream.

MapReduce 2

The following issues are fixed in CDH 6.1.1:

  • MAPREDUCE-7131 - Fixed a race condition where the Job History Server moves files from intermediate to finished but thinks the files are in intermediate.
  • MAPREDUCE-7156 - Fixed a NullPointerException when you reach the max shuffle connections.
  • MAPREDUCE-7159 - Enhanced the FrameworkUploader to ensure proper permissions of generated framework tar.gz if restrictive umask is used.

YARN

There are no notable fixed issues in this release.

Apache HBase

The following issues are fixed in CDH 6.1.1:

  • HBASE-21237 - Use CompatRemoteProcedureResolver to dispatch open/close region requests to RS
  • HBASE-21351 - The force update thread may have race with PE worker when the procedure is rolling back
  • HBASE-21503 - Replication normal source can get stuck due potential race conditions between source wal reader and wal provider initialization threads.
  • HBASE-21504 - If enable FIFOCompactionPolicy, a compaction may write a "empty" hfile whose maxTimeStamp is long max. This kind of hfile will never be archived.
  • HBASE-21618 - Scan with the same startRow(inclusive=true) and stopRow(inclusive=false) returns one result
  • HBASE-21621 - Reversed scan does not return expected number of rows
  • HBASE-21683 - Reset readsEnabled flag after successfully flushing the primary region

Apache Hive

The following issues are fixed in CDH 6.1.1:

  • HIVE-14557 - Nullpointer When both SkewJoin and Mapjoin Enabled
  • HIVE-20168 - ReduceSinkOperator Logging Hidden
  • HIVE-20169 - Print Final Rows Processed in MapOperator

Hue

The following issues are fixed in CDH 6.1.1:

  • HUE-8631 - [hbase] pull thrift transport from hbase-site.xml
  • HUE-8675 - [core] Fix external users created as superuser

Apache Impala

The following issues are fixed in CDH 6.1.1:

  • IMPALA-6661 - Treats NaN values to be equal when grouping, putting all NaN values in one group.
  • IMPALA-7777 - Fixed a crash due to arithmetic overflows in the Exchange Node.
  • IMPALA-5474 - Fixed an issue where adding a trivial subquery to a query with an error turns the error into a warning.
  • IMPALA-7939 - Fixed an issue in Impala Shell that would not run a valid CREATE TABLE statement when there is a word, "update", in the expression.
  • IMPALA-7960 - Fixed incorrect comparisons of TIMESTAMP when they were cast to shorter VARCHAR and STRING.
  • IMPALA-8026 - Now correctly calculates the number of rows for nested loop joins in query profiles.
  • IMPALA-7857 - Logs more information about the StateStore failure detection.

Apache Kafka

There are no notable fixed issues in this release.

Apache Kudu

The following issue is fixed in CDH 6.1.1:

  • KUDU-1678 - Fixed a rare crash caused by a race condition when a replica is shutting down while processing an alter table.

Apache Oozie

The following issues are fixed in CDH 6.1.1:

  • OOZIE-3382 - [SSH action] Optimize process streams draining

Apache Parquet

The following issues are fixed in CDH 6.1.1:

  • PARQUET-1305 - Backward incompatible change introduced in 1.8
  • PARQUET-1407 - Avro: Fix binary values returned from dictionary encoding
  • PARQUET-1472 - Dictionary filter fails on FIXED_LEN_BYTE_ARRAY

Apache Pig

The following issues are fixed in CDH 6.1.1:

  • PIG-5373 - InterRecordReader might skip records if certain sync markers are used
  • PIG-5374 - Use CircularFifoBuffer in InterRecordReader

Cloudera Search

The following issues are fixed in CDH 6.1.1:

  • SOLR-12615 - HashQParserPlugin won't throw an NPE for string hash key and documents with empty value
  • SOLR-12674 - RollupStream should not use the HashQueryParser for 1 worker

Apache Sentry

The following issues are fixed in CDH 6.1.1:

  • SENTRY-2428 - Skip null partitions or partitions with null sds entries
  • SENTRY-2464 - Catch exception thrown on first reload for UpdatableCache

Apache Spark

The following issues are fixed in CDH 6.1.1:

  • SPARK-25767 - [SQL] Fix lazily evaluated stream of expressions in code generation
  • SPARK-26079 - [SQL] Ensure listener event delivery in StreamingQueryListenersConfSuite.
  • SPARK-26118 - [WEB UI] Introducing spark.ui.requestHeaderSize for setting HTTP requestHeaderSize
  • SPARK-26201 - Fix python broadcast with encryption
  • SPARK-26605 - [YARN] Update AM's credentials when creating tokens.
  • SPARK-26680 - [SQL] Eagerly create inputVars while conditions are appropriate

Apache Sqoop

There are no notable fixed issues in this release.

Apache Zookeeper

There are no notable fixed issues in this release.