Ben Lau created HBASE-16662:
-------------------------------
Summary: Fix open POODLE vulnerabilities
Key: HBASE-16662
URL: https://issues.apache.org/jira/browse/HBASE-16662
Project: HBase
Issue Type: Bug
Components: REST, Thrift
Reporter: Ben Lau
Assignee: Ben Lau
We recently found a security issue in our HBase REST servers. The issue is a
variant of the POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE) and
is present in the HBase Thrift server as well. It also appears to affect the
JMXListener coprocessor. The vulnerabilities probably affect all versions of
HBase that have the affected services. (If you don't use the affected services
with SSL then this ticket probably doesn't affect you).
Included is a patch to fix the known POODLE vulnerabilities in master. Let us
know if we missed any. From our end we only personally encountered the HBase
REST vulnerability. We do not use the Thrift server or JMXListener coprocessor
but discovered those problems after discussing the issue with some of the HBase
PMCs.
Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure
which is more or less the same as one of the fixes in this patch. Hadoop
wasn't originally affected by the vulnerability in the
SslSelectChannelConnector, but about a month ago they committed HADOOP-12765
which does use that class, so they added a SslSelectChannelConnectorSecure
class similar to this patch. Since this class is present in Hadoop 2.7.4+
which hasn't been released yet, we will for now just include our own version
instead of depending on the Hadoop version.
After the patch is approved for master we can backport as necessary to older
versions of HBase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
