Fixed Issues in Cloudera Manager 6.1.0

Technical Service Bulletin 2019-310 (TSB)

The ZooKeeper service optionally exposes a JMX port used for reporting and metrics. By default, Cloudera Manager enables this port, but prior to Cloudera Manager 6.1.0, it did not support mutual TLS authentication on this connection. While JMX has a password-based authentication mechanism that Cloudera Manager enables by default, weaknesses have been found in the authentication mechanism, and Oracle now advises JMX connections to enable mutual TLS authentication in addition to password-based authentication. A successful attack may leak data, cause denial of service, or even allow arbitrary code execution on the Java process that exposes a JMX port. Beginning in Cloudera Manager 6.1.0, it is possible to configure mutual TLS authentication on ZooKeeper’s JMX port.

Products affected: ZooKeeper

Releases affected: Cloudera Manager 6.1.0 and lower, Cloudera Manager 5.16 and lower

Users affected: All

Date/time of detection: June 7, 2018

Severity (Low/Medium/High): 9.8 High (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Impact: Remote code execution

CVE: CVE-2018-11744

Addressed in release/refresh/patch: Cloudera Manager 6.1.0

Fixed an issue with Java version parsing during Cloudera Manager upgrade.

Cloudera Issue: OPSAPS-47620

Fixed an issue where a CDH 5 cluster with a Keystore Indexer without a Sentry service. When attempting to upgrade to CDH 6 an empty error message displays. Note that when Sentry Policy File is enabled, users must either disable it or add a Sentry service, so that the policy file can be migrated automatically.

Cloudera Issue: OPSAPS-47617

Fixed an issue where creds.localjceks, the encrypted keystore used for the Hadoop Credentials provider, might be shown under the list of stale configuration files, but the contents did not actually change. When a role instance is shown as stale and its files include creds.localjceks, then this file will also be marked stale. This fix eliminates false reports of staleness.

Cloudera Issue: OPSAPS-47511

Fixed an issue where on CDH upgrade, Solr index files were not getting deleted from HDFS. This caused Solr to fail to start since files had an old index scheme.

Cloudera Issue: OPSAPS-47502

Fixed the cluster template export failure when the Hue configuration HDFS Web Interface Role (webhdfs_url) is using or pointing to the httpfs load balancer rather than to an HDFS role.

Cloudera Issue: OPSAPS-47060

Fixed an issue where Kafka broker and MirrorMaker processes did not use the Garbage-First (G1) garbage collector.

Cloudera Issue: OPSAPS-45956

Fixed a display issue where a user could not see their assigned roles and most recent successful login by navigating to <Username> > My Profile in the Cloudera Manager Admin Console. This issue did not affect functionality.

Cloudera Issue: OPSAPS-46996, OPSAPS-47025

Fixed an issue with incorrect reporting of used physical memory on host nodes with a significant amount of Shared Memory in use. Cloudera Manager now takes usage of Shared Memory into account when reporting the physical memory used on a host node.

Cloudera Issue: OPSAPS-47396

Changed the API name to fix the wrong name in the parameter.

This parameter configures the Client Java Configuration Options found under the HDFS Gateway role configuration. Any API scripts or cluster templates referencing these old names need to be updated to use the new names.

Cloudera Issue: OPSAPS-24569

Changed the API names to fix typos in the following parameters:

These parameters tune the behavior of health test checking. The affected entities are: HBase Master, HDFS NameNode, MapReduce JobTracker, YARN ResourceManager. Any API scripts or cluster templates referencing these old names need to be updated to use the new names.

Cloudera Issue: OPSAPS-39223

Fixed an issue where Auto-TLS settings were not applied to the Spark service when Auto-TLS was enabled.

Cloudera Issue: OPSAPS-47925

Fixed an issue where the Impala shell command in the Cloudera Manager Admin Console was missing the port number required to connect to the Impala shell.

Cloudera Issue: OPSAPS-47589

Enable Kerberos Authentication and Enable Server to Server SASL Authentication settings in ZooKeeper have been linked together since both should be either turned on or off. If either is switched on or off, the other automatically follows.

This change automates steps that address CVE-2018-8012. Previously, the solution required manual steps.

Cloudera Issue: OPSAPS-46628

Fixed an issue that occurs when the API is accessed at a rapid rate. This can cause the Audits database table to grow rapidly, negatively impacting Cloudera Manager performance.

Cloudera Manager logs events in the Audits database table when the API is accessed either from the Admin Console or from any other client. You can now configure a time period during which similar events are combined into one log entry. For more information, see Audit Events.

Cloudera Issue: OPSAPS-46898

Fixed an issue where applying a configuration change with CMF_SERVER_ARGS arguments (using the /etc/default/cloudera-scm-server configuration file) led to a staleness warning after a Cloudera Manager server restart.

Cloudera Issue: OPSAPS-47240

Fixes an issue where Cloudera Manager did not install Kudu packages when CDH was installed with packages instead of parcels.

Cloudera Issue: OPSAPS-45692

Fixed an issue where some roles that required restarts were not correctly identified after starting a role marked as Started with Outdated Configuration.

Cloudera Issue: OPSAPS-45237

Fixed typos in the following parameter. This change affects Hive services when Hive Server 2 is configured for High Availability.

Any API scripts or cluster templates referencing these old names will need to be updated to use the new names.

Cloudera Issue: OPSAPS-33266

Fixed an issue that caused an exception to occur in the Cloudera Manager Agent during diagnostic bundle collection if the process had exited previously.

Cloudera Issue: OPSAPS-47354

Fixed an issue where the kafka_network_processor_avg_idle metric shows NO DATA.

Cloudera Issue: OPSAPS-45816

When starting Sentry for the first time after the service was added, the "Creating Sentry Database Tables" step in the Start Service command may fail with the error: "There is already a pending command on this entity". This issue has been fixed and starting Sentry for the first time after the service was added no longer fails due to a pending command.

Cloudera Issue: OPSAPS-48426

The HDFS canary no longer erroneously reports UNKNOWN health status.

Cloudera Issue: OPSAPS-48337

If you have installed the JDK at a non-standard location, set the JAVA_HOME environment variable before installing Cloudera Manager. If you cannot set JAVA_HOME in your environment, create an empty file with the path /etc/cloudera-pre-install/CLOUDERA_SKIP_JAVA_INSTALL_CHECK to skip any Java checks during package installation of Cloudera Manager Server and Daemon packages.

Cloudera Issue: OPSAPS-47908

Fixed an Issue where the Kafka Broker could not be stopped if Automatically Restart Process is enabled. Because of a misconfiguration in process monitoring, the Cloudera Manager Agent would also restart the process when a legitimate stop was requested. Additionally, without automatic restarts, once the process was stopped, the health check for Unexpected Exits would eventually show the process in bad health. Note that this bug affected all CSD-based services where a graceful stop behavior was enabled at the role-level.

Cloudera Issue: OPSAPS-45029

Fixed a database connection leak issue that caused the following error: java.lang.IllegalStateException: currentCmfEntityManager already in transaction.

Cloudera Issue: OPSAPS-45829

Fixes the automatic role creation logic when adding a second instance of a service. Adding a second instance of a service could result in extra roles being generated for the first instance of a service.

Cloudera Issue: OPSAPS-47766

Even if a proxy server was configured for Cloudera Manager, it was not used to download the package signing key during host installs, leading to installation failures. This has been fixed so that downloading the package signing key will use the configured proxy, but only if it is a plain HTTP proxy. Proxies requiring authentication or HTTPS are not currently supported. As a workaround, you can mirror the package repository locally to avoid needing a proxy.

Cloudera Issue: OPSAPS-47830