Fixed Issues in CDH 6.3.2

Kudu cannot distribute libnuma (dependency of memkind)

In this release the NVM cache implementation in Kudu has been changed to dynamically link memkind at runtime using dlopen().

Affected Versions: CDH 6.3.0, 6.3.1

Fixed Versions: 6.3.2

Apache Issue: KUDU-2990 - If you want support for Kudu's NVM (non-volatile memory) block cache, then you must install the memkind library by running one of the following commands for the corresponding platform:
    • RHEL/CentOS:
      sudo yum install memkind
    • Ubuntu or Debian:
      sudo apt-get install libmemkind0
    • SLES:
      sudo zypper install memkind
    If the memkind package provided with the Linux distribution is too old, you can build and install it from source by using the following commands:
    • RHEL/CentOS:
      sudo yum install numactl-libs numactl-devel
      git clone https://github.com/memkind/memkind.git
      cd memkind
      ./build.sh --prefix=/usr
      sudo yum remove memkind
      sudo make install
      sudo ldconfig
    • Ubuntu or Debian:
      sudo apt-get install libnuma1 libnuma-dev
      git clone https://github.com/memkind/memkind.git
      cd memkind
      ./build.sh --prefix=/usr
      sudo apt-get remove memkind
      sudo make install
      sudo ldconfig
    • SLES:
      sudo zypper install numactl-libs numactl-devel
      git clone https://github.com/memkind/memkind.git
      cd memkind
      ./build.sh --prefix=/usr
      sudo zypper remove memkind
      sudo make install
      sudo ldconfig

Java client doesn't verify channel bindings during connection negotiation

Affected Versions: CDH 6.3.0, 6.3.1

Fixed Versions: 6.3.2

Apache Issue: KUDU-3014 - Fixed a bug in the connection negotiation code of the Kudu Java client. Now the Kudu Java client verifies the channel binding information while negotiating connections to Kudu servers.

Potential to bypass transaction and idempotent ACL checks in Apache Kafka

It is possible to manually craft a Produce request which bypasses transaction and idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability.

Products affected:
  • CDH
  • CDK Powered by Apache Kafka
Releases affected:
  • CDH versions 6.0.x, 6.1.x, 6.2.0

  • CDK versions 3.0.x, 3.1.x, 4.0.x

Users affected: All users who run Kafka in CDH and CDK.

Date/time of detection: September, 2018

Severity (Low/Medium/High):7.1 (High) (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H)

Impact: Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This can aid in further attacks.

CVE: CVE-2018-17196

Immediate action required: Update to a version of CDH containing the fix.

Addressed in release/refresh/patch:
  • CDH 6.2.1, 6.3.2

  • CDK 4.1.0

Knowledge article: For the latest update on this issue see the corresponding Knowledge article: TSB 2020-378: Potential to bypass transaction and idempotent ACL checks in Apache Kafka