Ben Lau created HBASE-16662:

             Summary: Fix open POODLE vulnerabilities
                 Key: HBASE-16662
             Project: HBase
          Issue Type: Bug
          Components: REST, Thrift
            Reporter: Ben Lau
            Assignee: Ben Lau

We recently found a security issue in our HBase REST servers.  The issue is a 
variant of the POODLE vulnerability ( and 
is present in the HBase Thrift server as well.  It also appears to affect the 
JMXListener coprocessor.  The vulnerabilities probably affect all versions of 
HBase that have the affected services.  (If you don't use the affected services 
with SSL then this ticket probably doesn't affect you).

Included is a patch to fix the known POODLE vulnerabilities in master.  Let us 
know if we missed any.  From our end we only personally encountered the HBase 
REST vulnerability.  We do not use the Thrift server or JMXListener coprocessor 
but discovered those problems after discussing the issue with some of the HBase 

Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure 
which is more or less the same as one of the fixes in this patch.  Hadoop 
wasn't originally affected by the vulnerability in the 
SslSelectChannelConnector, but about a month ago they committed HADOOP-12765 
which does use that class, so they added a SslSelectChannelConnectorSecure 
class similar to this patch.  Since this class is present in Hadoop 2.7.4+ 
which hasn't been released yet, we will for now just include our own version 
instead of depending on the Hadoop version.

After the patch is approved for master we can backport as necessary to older 
versions of HBase.

This message was sent by Atlassian JIRA

Reply via email to