Support Questions

Find answers, ask questions, and share your expertise

Hadoop security patching management

avatar
Master Collaborator

Hello community,

 

We started a Hadoop hardening review and one of the items is identifying security vulnerability issues, 

 

We are using https://nvd.nist.gov/vuln/search to review new vulnerability issues (not the OS ones), will be happy to hear how and what are the best ways and best practises to manage this process.

1) Is the patching  process part of the CDH versions, if i need to apply a patch do i have other ways without upgrading the CDH version?

2) Is there a dedicated board for cloudera/hadoop vulnerability issues that can be used as source of truth?

3) Where i can get the patches? is it requesting subscription? 

 

For example, i want to follow this one https://nvd.nist.gov/vuln/detail/CVE-2019-14449 , is it mean to get this done i need to upgrade to 5.16.2 or there is a patch that i can download and run it?

 

 

1 REPLY 1

avatar
Moderator

Hello @Fawze ,

 

thank you for raising your question regarding on our Common Vulnerabilities and Exposures (CVE) processes. Please see [1] and [2] articles on how we handle vulnerabilities and [3] for the Security Bulletins.

 

Q1) Is the patching  process part of the CDH versions, if i need to apply a patch do i have other ways without upgrading the CDH version?

 

A1) for Cloudera Customers there is a patching process available, however the process is equivalent to deploying to a new minor version. Therefore we encourage applying the latest minor versions instead of patching when fix is available. There are situations when patching is not possible because of the amount of code change / redesign required. If you are a subscription customer, please file a Support ticket on our Support Portal listing all your requirements and we will guide you through the process. When you are in the process of redesigning your cluster, please involve your Account Team (Sales Team) as early as possible, as they might able to assist you to build a more robust system.

 

 

Q2)  Is there a dedicated board for cloudera/hadoop vulnerability issues that can be used as source of truth?

 

A2) Yes, it is called Security Bulletins. Please see [3]

 

 

Q3) Where i can get the patches? is it requesting subscription? 

 

A3) Yes, it is required to have a subscription to access Support. We understand that patching is an expensive exercise, therefore we do our best to identify options on how to resolve your issue, which might not require a patch. Please always apply the latest minor version release for your Cloudera software, as it contains the latest bug fixes. By this you can reduce the likelihood of downtime.

 

 

Q4) For example, i want to follow this one https://nvd.nist.gov/vuln/detail/CVE-2019-14449 , is it mean to get this done i need to upgrade to 5.16.2 or there is a patch that i can download and run it?

 

A4) Based on [3] there is no workaround identified, which means you have to upgrade to a version that contains the fix: Cloudera Manager 5.16.2, 6.0.2, 6.1.1, 6.2.0, 6.3.0

Since the issue affects CM only, you do not need to upgrade your CDH, only CM.

 

Please let us know if we answered all of your enquiries and if so, please mark the answer as the solution, so it will be easier for other community members to find it.

 

Best regards:

Ferenc

 

[1] http://blog.cloudera.com/blog/2016/05/clouderas-process-for-handling-security-vulnerabilities/

[2] http://www.apache.org/security/committers.html#vulnerability-handling

[3] https://docs.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html


Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community: