Support Questions

ask_bill_brooks · ‎08-25-2021

The components in HDP 3.1.5 is outdated and lack key security functionality.

Grafana is running v6.4.2, but has a major security issue that was patched in future releases: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

Infra Solr is running SOLR 7.7 and haa a RCE vulnerability. This was patched in SOLR 8.3, which is not part of InfraSolr.

Zookeeper packaged is 3.4.6, but SSL implementation was add in 3.5.5

I saw some questions talking about "Patch Upgrades" but is there a guide to upgrading individual components in a cluster via Ambari or however?

Shifu · ‎08-31-2021

If I installed a later version of Zookeeper (for example), would ambari recognize that later version in it's management? Or would it exist in parallel with the version of Zookeeper packaged with 3.1.5?

> You have to install zookeeper or any component via Ambari only, if you install it manually(via yum or apt) in the server ambari will not recognize or it will not consider it.

Grafana is running v6.4.2, but has a major security issue that was patched in future releases: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
Infra Solr is running SOLR 7.7 and has an RCE vulnerability. This was patched in SOLR 8.3, which is not part of Ambari 2.7.5's InfraSolr.
Zookeeper packaged is 3.4.6, but SSL implementation was added in 3.5.5

> As mentioned already please create a support case with Cloudera along with the vulnerability CVE number so we can check with our team and confirm whether our product is vulnerable to the security concern or not. If it is so we can provide a patch to overcome it.

If you are happy with the comment, Mark it "Accept as Solution".

View solution in original post

Shifu · ‎08-31-2021

Hi @Eric_B

I saw some questions talking about "Patch Upgrades" but is there a guide to upgrading individual components in a cluster via Ambari or however?
> You may not able to upgrade individual components via Ambari. You can either install a component or you can upgrade to the next available HDP 3.X version but I can see you are in the latest 3.1.5 version.

If you felt your Hadoop components have a particular vulnerability issue. Please feel free to raise a case with Cloudera so we will check and clarify the same. If the vulnerability is legitimate and could cause harm to your infrastructure we can provide a patch to the issue. In that way, you can overcome it.

If you are happy with the comment, Mark it Accepts as Solution.

Eric_B · ‎08-31-2021

Hi @Shifu

Thanks for the response! Regarding something you posted:
"You can either install a component or you can upgrade to the next available HDP 3.X version but I can see you are in the latest 3.1.5 version."

If I installed a later version of Zookeeper (for example), would ambari recognize that later version in it's management? Or would it exist in parallel with the version of Zookeeper packaged with 3.1.5?

The current big security issues I see I've listed in the original question. Is there a contact form?

Grafana is running v6.4.2, but has a major security issue that was patched in future releases: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
Infra Solr is running SOLR 7.7 and has a RCE vulnerability. This was patched in SOLR 8.3, which is not part of Ambari 2.7.5's InfraSolr.
Zookeeper packaged is 3.4.6, but SSL implementation was added in 3.5.5

Shifu · ‎08-31-2021

If I installed a later version of Zookeeper (for example), would ambari recognize that later version in it's management? Or would it exist in parallel with the version of Zookeeper packaged with 3.1.5?

> You have to install zookeeper or any component via Ambari only, if you install it manually(via yum or apt) in the server ambari will not recognize or it will not consider it.

Grafana is running v6.4.2, but has a major security issue that was patched in future releases: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
Infra Solr is running SOLR 7.7 and has an RCE vulnerability. This was patched in SOLR 8.3, which is not part of Ambari 2.7.5's InfraSolr.
Zookeeper packaged is 3.4.6, but SSL implementation was added in 3.5.5

> As mentioned already please create a support case with Cloudera along with the vulnerability CVE number so we can check with our team and confirm whether our product is vulnerable to the security concern or not. If it is so we can provide a patch to overcome it.

If you are happy with the comment, Mark it "Accept as Solution".

Eric_B · ‎09-01-2021

Ok, I think I understand.

I CAN install secure versions of these components, but that would be separate from Ambari and would sacrifice that level of control and maintenance. In order to get Ambari and these more secure components, I'll need to reach out to Cloudera for a private hotfix version or to upgrade off of HDP.

Thank you for the clarification.

VidyaSargur · ‎09-01-2021

@Eric_B, if the reply helped resolve your issue, can you kindly please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.

Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Community Guidelines
How to use the forum

Shifu · ‎09-01-2021

@Eric_B

Yes, your understanding is correct.

Support Questions

Upgrading Individual Components Post HDP 3.1.5