@zuo The CDH5 cluster are shipped with Zookeeper 3.4.5 sop this Digest authentication flaw affects it. However the CDH cluster uses only either Simple or Kerberos authentication and not Digest. We use the Digest authentication temporarily in clusters when the Zookeeper database content needs to be examined or fixed. These usage is tightly controlled byt the Cloudera Support Engineers, and typically this access is removed at the end of the support calls. Again, in the routine operation the cluster does not use Digest authentication so the vulnerability does not affect the standard CDH installations. Sure if someone has manually customised the cluster heavily and chosen to use Digest then they need a fix to remove this security bug. That is why Cloudera fixes this issue, and the patch will be included in CDH5.16.2 and and CDH6.2 and the onward releases. If you manually modified the Zookeeper authentication configuration then we recommend to upgrade it to CDH5.16.2. Otherwise you have nothing to do with this CVE. Digest authentication is only used for the "super" user enablement which is not for the routine. 1) Java Configuration Options for ZooKeeper Server: -Dzookeeper.DigestAuthenticationProvider.superDigest=super:cY+9eK20soteVC3fQ83SXDvwlP0= 2) zookeeper-client -> addauth digest super:cloudera
... View more
