[ 
https://issues.apache.org/jira/browse/HBASE-16662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Purtell updated HBASE-16662:
-----------------------------------
       Resolution: Fixed
     Hadoop Flags: Reviewed
    Fix Version/s: 1.2.4
                   0.98.23
                   1.1.7
                   1.4.0
                   1.3.0
                   2.0.0
           Status: Resolved  (was: Patch Available)

> Fix open POODLE vulnerabilities
> -------------------------------
>
>                 Key: HBASE-16662
>                 URL: https://issues.apache.org/jira/browse/HBASE-16662
>             Project: HBase
>          Issue Type: Bug
>          Components: REST, Thrift
>            Reporter: Ben Lau
>            Assignee: Ben Lau
>             Fix For: 2.0.0, 1.3.0, 1.4.0, 1.1.7, 0.98.23, 1.2.4
>
>         Attachments: HBASE-16662-master.patch
>
>
> We recently found a security issue in our HBase REST servers.  The issue is a 
> variant of the POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE) 
> and is present in the HBase Thrift server as well.  It also appears to affect 
> the JMXListener coprocessor.  The vulnerabilities probably affect all 
> versions of HBase that have the affected services.  (If you don't use the 
> affected services with SSL then this ticket probably doesn't affect you).
> Included is a patch to fix the known POODLE vulnerabilities in master.  Let 
> us know if we missed any.  From our end we only personally encountered the 
> HBase REST vulnerability.  We do not use the Thrift server or JMXListener 
> coprocessor but discovered those problems after discussing the issue with 
> some of the HBase PMCs.
> Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure 
> which is more or less the same as one of the fixes in this patch.  Hadoop 
> wasn't originally affected by the vulnerability in the 
> SslSelectChannelConnector, but about a month ago they committed HADOOP-12765 
> which does use that class, so they added a SslSelectChannelConnectorSecure 
> class similar to this patch.  Since this class is present in Hadoop 2.7.4+ 
> which hasn't been released yet, we will for now just include our own version 
> instead of depending on the Hadoop version.
> After the patch is approved for master we can backport as necessary to older 
> versions of HBase.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to