Hi Asif, Here is the announcement on the Cloudera WebSite: http://www.cloudera.com/content/cloudera-content/cloudera-docs/SecurityBulletins/3.25.2013/Security-Bulletin/csb_topic_1.html?scroll=topic_1
And CDH 4.3.1 has been released to fix that and is available there: https://www.cloudera.com/content/support/en/downloads.html JM 2013/8/24 Asaf Mesika <[email protected]> > Any Cloudera release for that as well? > > On Saturday, August 24, 2013, Aaron T. Myers wrote: > > > Hello, > > > > Please see below for the official announcement of a serious security > > vulnerability which has been discovered and subsequently fixed in Apache > > HBase releases. > > > > Best, > > Aaron > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > CVE-2013-2193: Apache HBase Man in the Middle Vulnerability > > > > Severity: Severe > > > > Vendor: The Apache Software Foundation > > > > Versions Affected: > > All versions of HBase 0.92.x prior to 0.92.3. > > All versions of HBase 0.94.x prior to 0.94.9. > > > > Users affected: Users who have enabled HBase's Kerberos security features > > and who run HBase co-located on a cluster with Hadoop MapReduce or Hadoop > > YARN. > > > > Impact: RPC traffic from clients to Region Servers may be intercepted by > a > > malicious user with access to run tasks or containers on a cluster. > > > > Description: > > The Apache HBase RPC protocol is intended to provide bidirectional > > authentication between clients and servers. However, a malicious server > or > > network attacker can unilaterally disable these authentication checks. > This > > allows for potential reduction in the configured quality of protection of > > the RPC traffic, and privilege escalation if authentication credentials > are > > passed over RPC. > > > > Mitigation: > > Users of HBase 0.92.x versions prior to 0.92.3 should immediately upgrade > > to 0.92.3 when it becomes available, or to 0.94.9 or later. > > Users of HBase 0.94.x versions prior to 0.94.9 should immediately upgrade > > to 0.94.9 or later. > > > > Credit: This issue was discovered by Kyle Leckie of Microsoft and Aaron > T. > > Myers of Cloudera. > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.11 (GNU/Linux) > > > > iQEcBAEBAgAGBQJSF85nAAoJECEaGfB4kTjfDg0IAIDG+1DJJCKCS74WzB4kJzCg > > 9eTqSiucDl/fKmx1lMEem/yU2tpqWU7TfRY3p1d2PC8akyvp0JCLQliYsNOokRRT > > Hz3gvSqSvTT4zWkeFgQ6qNe+amJeiBDrU1m8IbLvrlZqU8tVe3AT+fj13bv1RdaK > > Z4o8QJonmdDIZqU9i/ss1eXTUyIlPlHilzcprl80cN5VoBhtgeh7vdGQYnUBn20E > > 6X0B8ffQ2UoGBJC4JJRmESZIwTnYt/b7453rD82mEUtqIxAHcVr6dfHd07zecp8G > > Ae4zOuNumBb13SfCib7+da1i02ujR2WKx7M6ju+5E5VLQYiLKSKse+TDS6ruZDw= > > =sqcf > > -----END PGP SIGNATURE----- > > >
