[
https://issues.apache.org/jira/browse/HBASE-16662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15515164#comment-15515164
]
Hudson commented on HBASE-16662:
--------------------------------
FAILURE: Integrated in Jenkins build HBase-1.4 #426 (See
[https://builds.apache.org/job/HBase-1.4/426/])
HBASE-16662 Fix open POODLE vulnerabilities (apurtell: rev
69733040263d48a195d179c2390325a69416200f)
* (edit) hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java
* (add)
hbase-server/src/main/java/org/apache/hadoop/hbase/jetty/SslSelectChannelConnectorSecure.java
* (add)
hbase-server/src/main/java/org/apache/hadoop/hbase/SslRMIClientSocketFactorySecure.java
* (edit) hbase-server/src/main/java/org/apache/hadoop/hbase/JMXListener.java
* (edit)
hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
* (add)
hbase-server/src/main/java/org/apache/hadoop/hbase/SslRMIServerSocketFactorySecure.java
> Fix open POODLE vulnerabilities
> -------------------------------
>
> Key: HBASE-16662
> URL: https://issues.apache.org/jira/browse/HBASE-16662
> Project: HBase
> Issue Type: Bug
> Components: REST, Thrift
> Reporter: Ben Lau
> Assignee: Ben Lau
> Fix For: 2.0.0, 1.3.0, 1.4.0, 1.1.7, 0.98.23, 1.2.4
>
> Attachments: HBASE-16662-master.patch
>
>
> We recently found a security issue in our HBase REST servers. The issue is a
> variant of the POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE)
> and is present in the HBase Thrift server as well. It also appears to affect
> the JMXListener coprocessor. The vulnerabilities probably affect all
> versions of HBase that have the affected services. (If you don't use the
> affected services with SSL then this ticket probably doesn't affect you).
> Included is a patch to fix the known POODLE vulnerabilities in master. Let
> us know if we missed any. From our end we only personally encountered the
> HBase REST vulnerability. We do not use the Thrift server or JMXListener
> coprocessor but discovered those problems after discussing the issue with
> some of the HBase PMCs.
> Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure
> which is more or less the same as one of the fixes in this patch. Hadoop
> wasn't originally affected by the vulnerability in the
> SslSelectChannelConnector, but about a month ago they committed HADOOP-12765
> which does use that class, so they added a SslSelectChannelConnectorSecure
> class similar to this patch. Since this class is present in Hadoop 2.7.4+
> which hasn't been released yet, we will for now just include our own version
> instead of depending on the Hadoop version.
> After the patch is approved for master we can backport as necessary to older
> versions of HBase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
