Community Articles

rblough · ‎06-20-2021

The Qualys tool reports vulnerabilities in ZooKeeper, even when the ZooKeeper security configuration is applied (HDP doc, CDP doc).

There are two kinds of reports Qualys makes that are not addressable by Cloudera:

The security guidance keeps several znodes in the affected services as world-readable, like so:
```
/zookeeper/quota sasl:zookeeper:cdrwa,world:anyone:r
```
Any world-readable znode will appear on the scanner, and will require an exception filed for it. This is the position of Qualys, as reported by our customers who use Qualys.
The security guidance does not cover several services. The following components require no action according to our documentation:
- Calcite
- Knox
- MapReduce
- Spark
- Tez
- Zeppelin

The Qualys tool will still report znodes owned by these services.

Note: it is possible to harden the ACLs beyond the Best Practices recommendation in the documentation, and to harden the ACLs of services not covered in the Best Practices. However, Cloudera cannot provide what the correct ACLs are in that case. Testing on the customer's side is required. It is very easy to set the ACLs such that services that need access to the znode will not have it, and this needs to be handled on a znode by znode basis.

If an attempt at hardening the ACLs is going to be made, these suggestions may help:

Try implementing SASL (this is the same method used in most of the Best Practices recommendations)
Try restricting privileges to the service user
If something breaks, try to identify the user that performed the failed action, and add the necessary privileges only for that user

Cloudera Community

Community Articles

Qualys Vulnerability Scanner requries exceptions for clusters secured with ZooKeeper ACLs

Apache Hadoop

Apache Zookeeper

Cloudera Data Platform (CDP)

Cloudera Data Platform Private Cloud (CDP-Private)

Cloudera Enterprise Data Hub

Hortonworks Data Platform (HDP)