Support Questions

zuo · ‎04-25-2021

Hello,

We're using Cloudera Manager 6.3.1 to deploy CDH6.3.2, and it componet of Zookeeper version is 3.4.5+cdh6.3.2. but we fond a vulnerability CVE-2019-0201 from https://www.cvedetails.com/cve/CVE-2019-0201/?q=CVE-2019-0201

(An issue is persent in Apache Zookeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string).

Now, i want to upgrade Zookeeper to deal this vulnerability in CDH6.3.2, but i don't kown what should i do. Should i use a independence Zookeeper-3.4.14 replace Zookeeper-3.4.5+cdh6.3.2?

Thank you in advance !

Best Regards !

Yushuo

GangWar · ‎04-26-2021

@zuo The CDH5 cluster are shipped with Zookeeper 3.4.5 sop this Digest authentication flaw affects it. However the CDH cluster uses only either Simple or Kerberos authentication and not Digest. We use the Digest authentication temporarily in clusters when the Zookeeper database content needs to be examined or fixed. These usage is tightly controlled byt the Cloudera Support Engineers, and typically this access is removed at the end of the support calls.
Again, in the routine operation the cluster does not use Digest authentication so the vulnerability does not affect the standard CDH installations. Sure if someone has manually customised the cluster heavily and chosen to use Digest then they need a fix to remove this security bug. That is why Cloudera fixes this issue, and the patch will be included in CDH5.16.2 and and CDH6.2 and the onward releases. If you manually modified the Zookeeper authentication configuration then we recommend to upgrade it to CDH5.16.2. Otherwise you have nothing to do with this CVE.

Digest authentication is only used for the "super" user enablement which is not for the routine.

1) Java Configuration Options for ZooKeeper Server: -Dzookeeper.DigestAuthenticationProvider.superDigest=super:cY+9eK20soteVC3fQ83SXDvwlP0=

2) zookeeper-client -> addauth digest super:cloudera

Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

GangWar · ‎04-26-2021

@zuo The CDH5 cluster are shipped with Zookeeper 3.4.5 sop this Digest authentication flaw affects it. However the CDH cluster uses only either Simple or Kerberos authentication and not Digest. We use the Digest authentication temporarily in clusters when the Zookeeper database content needs to be examined or fixed. These usage is tightly controlled byt the Cloudera Support Engineers, and typically this access is removed at the end of the support calls.
Again, in the routine operation the cluster does not use Digest authentication so the vulnerability does not affect the standard CDH installations. Sure if someone has manually customised the cluster heavily and chosen to use Digest then they need a fix to remove this security bug. That is why Cloudera fixes this issue, and the patch will be included in CDH5.16.2 and and CDH6.2 and the onward releases. If you manually modified the Zookeeper authentication configuration then we recommend to upgrade it to CDH5.16.2. Otherwise you have nothing to do with this CVE.

Digest authentication is only used for the "super" user enablement which is not for the routine.

1) Java Configuration Options for ZooKeeper Server: -Dzookeeper.DigestAuthenticationProvider.superDigest=super:cY+9eK20soteVC3fQ83SXDvwlP0=

2) zookeeper-client -> addauth digest super:cloudera

Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

zuo · ‎04-26-2021

Hi Gangwar,

Thanks for your reply, we're using CDH6.3.2, it means that we can use Digest authentication to reduce the risk from this CVE?

Cloudera Community

Support Questions

How to deal the vulnerability of CVE-2019-0201 in CDH6.3.2