Hello @Fawze ,
thank you for raising your question regarding on our Common Vulnerabilities and Exposures (CVE) processes. Please see [1] and [2] articles on how we handle vulnerabilities and [3] for the Security Bulletins.
Q1) Is the patching process part of the CDH versions, if i need to apply a patch do i have other ways without upgrading the CDH version?
A1) for Cloudera Customers there is a patching process available, however the process is equivalent to deploying to a new minor version. Therefore we encourage applying the latest minor versions instead of patching when fix is available. There are situations when patching is not possible because of the amount of code change / redesign required. If you are a subscription customer, please file a Support ticket on our Support Portal listing all your requirements and we will guide you through the process. When you are in the process of redesigning your cluster, please involve your Account Team (Sales Team) as early as possible, as they might able to assist you to build a more robust system.
Q2) Is there a dedicated board for cloudera/hadoop vulnerability issues that can be used as source of truth?
A2) Yes, it is called Security Bulletins. Please see [3]
Q3) Where i can get the patches? is it requesting subscription?
A3) Yes, it is required to have a subscription to access Support. We understand that patching is an expensive exercise, therefore we do our best to identify options on how to resolve your issue, which might not require a patch. Please always apply the latest minor version release for your Cloudera software, as it contains the latest bug fixes. By this you can reduce the likelihood of downtime.
Q4) For example, i want to follow this one https://nvd.nist.gov/vuln/detail/CVE-2019-14449 , is it mean to get this done i need to upgrade to 5.16.2 or there is a patch that i can download and run it?
A4) Based on [3] there is no workaround identified, which means you have to upgrade to a version that contains the fix: Cloudera Manager 5.16.2, 6.0.2, 6.1.1, 6.2.0, 6.3.0
Since the issue affects CM only, you do not need to upgrade your CDH, only CM.
Please let us know if we answered all of your enquiries and if so, please mark the answer as the solution, so it will be easier for other community members to find it.
Best regards:
Ferenc
[1] http://blog.cloudera.com/blog/2016/05/clouderas-process-for-handling-security-vulnerabilities/
[2] http://www.apache.org/security/committers.html#vulnerability-handling
[3] https://docs.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html
Ferenc Erdelyi, Technical Solutions Manager
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
