Support Questions

Anudas · ‎09-16-2018

Hi,

Due to our corporate security guidelines we need to fix all the vulnerabilities detected by nessus scan. So I upgraded my CDH cluster to latest 5.15.1 thinking that it may fix some of them. However still I have those. List is given below. Let me know if there is any fix already or I need to wait till the next version release. For some of them nessus gives a solution, but I am worried taking that action may break the cluster. So any suggestion please ?

Cloudera Manager: 4 medium vulnerabilities

Nessus Plugin #85582

Web Application Potentially Vulnerable to Clickjacking

Ports affected : 8084,8086,8087 and 8091

The following pages do not use a clickjacking mitigation response header and contain a clickable event :

  - http://cdhmgr.innovate.ibm.com:<port>/logging
  - http://cdhmgr.innovate.ibm.com:<port>/poorMansProfiler

Solution:

Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.
This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.

Namenode : 1 High vulnerability

Nessus Plugin #68981

Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution

Ports affected : 50070

Nessus was able to exploit the issue using the following request :

http://cdhnn.innovate.ibm.com:50070/nn_browsedfscontent.jsp?redirect:%24%7B57550614%2b16044095%7D

Solution:

Upgrade to version 2.3.15.1 or later.

DataNodes: 1 High Vulnerability

Nessus Plugin #42424

CGI Generic SQL Injection (blind)

Ports affected: 25000

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'object_type' parameter of the /catalog_object CGI :

/catalog_object?object_name=_impala_builtins&object_type=DATABASEzz_impa
la_builtins&object_type=DATABASEyy

-------- output --------
<div class='container' style='width:80%'>




-------- vs --------
<div class='container' style='width:80%'>

<div class="alert alert-danger">
  <strong>Error:</strong>
  Unexpected object type: 0
------------------------

/catalog_object?object_name=_impala_builtins&object_type=DATABASEzz_impa
la_builtins&object_type=DATABASEyy {2}

-------- output --------
<div class='container' style='width:80%'>




-------- vs --------
<div class='container' style='width:80%'>

<div class="alert alert-danger">
  <strong>Error:</strong>
  Unexpected object type: 0
------------------------

+ The 'level' parameter of the /set_java_loglevel CGI :

/set_java_loglevel?class=428430&level=allzz428430&level=allyy

-------- output --------
      <button type="submit" class="btn btn-primary btn-sm">Set Jav [...]
      
      <strong> Effective log level: ALL</strong>
      
    </div>
-------- vs --------
      <button type="submit" class="btn btn-primary btn-sm">Set Jav [...]
      
      <strong> Effective log level: DEBUG</strong>
      
    </div>
------------------------

/set_java_loglevel?class=428430&level=allzz428430&level=allyy {2}

-------- output --------
      <button type="submit" class="btn btn-primary btn-sm">Set Jav [...]
      
      <strong> Effective log level: ALL</strong>
      
    </div>
-------- vs --------
      <button type="submit" class="btn btn-primary btn-sm">Set Jav [...]
      
      <strong> Effective log level: DEBUG</strong>
      
    </div>
------------------------

Solution:

Modify the affected CGI scripts so that they properly escape arguments.

Hue Node: 1 medium vulnerability

Nessus Plugin #26194

Web Server Transmits Cleartext Credentials

Ports affected: 8888

Page : /hue/accounts/login/
Destination Page: /accounts/login/

Page : /accounts/login/
Destination Page: /accounts/login/

Solution:

Make sure that every sensitive form transmits content over HTTPS

ZookeeperNodes : 1 Medium vulnerability

Nessus Plugin #110266

Apache Zookeeper x < 3.4.10 / 3.5.x < 3.5.4 Missing Authentication Remote Quorum Joining Vulnerability

Ports affected: 2181

Installed version : 3.4.5
  Fixed version     : 3.4.10

Solution:

Update to Apache Zookeeper 3.4.10 or 3.5.4 or later.

NFS Gateway Node: 1 High and 2 medium vulnerabilities

Nessus Plugin #34460

Unsupported Web Server Detection

Ports affected:11000

Product                : Tomcat
  Installed version      : 6.0.53
  Support ended          : 2016-12-31
  Supported versions     : 8.5.x / 7.0.x
  Additional information : http://tomcat.apache.org/tomcat-60-eol.html

Solution:

Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to another server.

Nessus Plugin #12085

Apache Tomcat Default Files

Port affected: 11000

The following default files were found :

/nessus-check/default-404-error-page.html

Solution:

Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page.

Nessus Plugin #42256

NFS Shares World Readable

Ports affected: 2049

The following shares have no access restrictions :

  / *

Solution:

Place the appropriate restrictions on all NFS shares.

Tomas79 · ‎09-17-2018

I just noticed that for Hue you are running without TLS. This is nothing what will be "fixed" as it is based on your choice, if you run your cluster in secure/unsecure mode.

Also I noticed that the NN is listening on 50070, so you are not running a Kerberized cluster, are you?

Anudas · ‎09-17-2018

@Tomas79Thank you. What you said is correct as of now no TLS and Kerberos. Let me try to configure those to see if that fix at least couple of those vulnerabilities.

michaelT · ‎02-14-2019

AFAIK, the struts problem is a false positive because you can't get that port to run example exploit code.

https://blog.appsecco.com/detecting-and-exploiting-the-java-struts2-rest-plugin-vulnerability-cve-20...

Has anyone got a solution to the Tomcat NFS upgrade problem. That looks tricky.

Cloudera Community

Support Questions

Cluster Vulnerabilities-Nessus security scan results