Created on 04-25-2021 07:31 PM - edited 09-16-2022 07:41 AM
Hello,
We're using Cloudera Manager 6.3.1 to deploy CDH6.3.2, and it componet of Zookeeper version is 3.4.5+cdh6.3.2. but we fond a vulnerability CVE-2019-0201 from https://www.cvedetails.com/cve/CVE-2019-0201/?q=CVE-2019-0201
(An issue is persent in Apache Zookeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string).
Now, i want to upgrade Zookeeper to deal this vulnerability in CDH6.3.2, but i don't kown what should i do. Should i use a independence Zookeeper-3.4.14 replace Zookeeper-3.4.5+cdh6.3.2?
Thank you in advance !
Best Regards !
Yushuo
Created on 04-26-2021 01:36 AM - edited 04-26-2021 01:37 AM
@zuo The CDH5 cluster are shipped with Zookeeper 3.4.5 sop this Digest authentication flaw affects it. However the CDH cluster uses only either Simple or Kerberos authentication and not Digest. We use the Digest authentication temporarily in clusters when the Zookeeper database content needs to be examined or fixed. These usage is tightly controlled byt the Cloudera Support Engineers, and typically this access is removed at the end of the support calls.
Again, in the routine operation the cluster does not use Digest authentication so the vulnerability does not affect the standard CDH installations. Sure if someone has manually customised the cluster heavily and chosen to use Digest then they need a fix to remove this security bug. That is why Cloudera fixes this issue, and the patch will be included in CDH5.16.2 and and CDH6.2 and the onward releases. If you manually modified the Zookeeper authentication configuration then we recommend to upgrade it to CDH5.16.2. Otherwise you have nothing to do with this CVE.
Digest authentication is only used for the "super" user enablement which is not for the routine.
1) Java Configuration Options for ZooKeeper Server: -Dzookeeper.DigestAuthenticationProvider.superDigest=super:cY+9eK20soteVC3fQ83SXDvwlP0=
2) zookeeper-client -> addauth digest super:cloudera
Created on 04-26-2021 01:36 AM - edited 04-26-2021 01:37 AM
@zuo The CDH5 cluster are shipped with Zookeeper 3.4.5 sop this Digest authentication flaw affects it. However the CDH cluster uses only either Simple or Kerberos authentication and not Digest. We use the Digest authentication temporarily in clusters when the Zookeeper database content needs to be examined or fixed. These usage is tightly controlled byt the Cloudera Support Engineers, and typically this access is removed at the end of the support calls.
Again, in the routine operation the cluster does not use Digest authentication so the vulnerability does not affect the standard CDH installations. Sure if someone has manually customised the cluster heavily and chosen to use Digest then they need a fix to remove this security bug. That is why Cloudera fixes this issue, and the patch will be included in CDH5.16.2 and and CDH6.2 and the onward releases. If you manually modified the Zookeeper authentication configuration then we recommend to upgrade it to CDH5.16.2. Otherwise you have nothing to do with this CVE.
Digest authentication is only used for the "super" user enablement which is not for the routine.
1) Java Configuration Options for ZooKeeper Server: -Dzookeeper.DigestAuthenticationProvider.superDigest=super:cY+9eK20soteVC3fQ83SXDvwlP0=
2) zookeeper-client -> addauth digest super:cloudera
Created 04-26-2021 05:54 PM
Hi Gangwar,
Thanks for your reply, we're using CDH6.3.2, it means that we can use Digest authentication to reduce the risk from this CVE?