Cloudera Manager Issues

Sensitive Configuration Values Exposed in Cloudera Manager

Certain configuration values that are stored in Cloudera Manager are considered "sensitive", such as database passwords. These configuration values are expected to be inaccessible to non-admin users, and this is enforced in the Cloudera Manager Admin Console. However, these configuration values are not redacted when reading them through the API, possibly making them accessible to users who should not have such access.

Products affected: Cloudera Manager

Releases affected: Cloudera Manager 4.8.2 and lower, Cloudera Manager 5.0.0

Users Affected: Cloudera Manager installations with non-admin users

Date/time of detection: May 7, 2014

Severity: High

Impact: Through the API only, non-admin users can access potentially sensitive configuration information

CVE: CVE-2014-0220

Immediate action required: Upgrade to Cloudera Manager 4.8.3 or Cloudera Manager 5.0.1 or disable non-admin users if you do not want them to have this access.

ETA for resolution: May 13, 2014

Addressed in release/refresh/patch: Cloudera Manager 4.8.3 and Cloudera Manager 5.0.1

Cloudera Manager installs taskcontroller.cfg in insecure mode

Products affected: Cloudera Manager and Service and Configuration Manager

Releases affected: Cloudera Manager 3.7.0-3.7.4, Service and Configuration Manager 3.5 (in certain cases)

Users affected: Users on multi-user systems who have not enabled Hadoop Kerberos features. Users using the Hadoop security features are not affected.

Severity: Critical

Impact: Vulnerability allows a malicious user to impersonate other users on the systems running the Hadoop cluster.

Immediate action required: Upgrade to Cloudera Manager 3.7.5 and subsequently restart the MapReduce service.

Workarounds are available: Any of these workarounds is sufficient.

  • For CM 3.7.x (Enterprise Edition), edit the configuration "Minimum user ID for job submission" to a number higher than any UIDs on the system. 65535 is the largest value that Cloudera Manager will accept, and is typically sufficient. Restart the MapReduce service. To find the current maximum UID on your system, run
getent passwd | awk -F: '{ if ($3 > max) { max = $3; name = $1 } } END { print name, max }' 
  • For CM 3.7.x Free Edition, remove the file /usr/lib/hadoop-0.20/sbin/Linux-amd64-64/task-controller. Note that this file is part of the hadoop-0.20-sbin package and will be re-installed by upgrades.
  • For SCM 3.5, if the cluster has been run in both secure and non-secure configurations, remove /etc/hadoop/conf/taskcontroller.cfg from all TaskTrackers. Repeat this in the future if you reconfigure the cluster from a Kerberized to a non-Kerberized configuration.

Resolution: Mar 27, 2012

Addressed in release/refresh/patch: Cloudera Manager 3.7.5

Verification: Verify that, in non-secure clusters, /etc/hadoop/conf/taskcontroller.cfg is unconfigured on all TaskTrackers. (A file with only lines starting with # is unconfigured.)

If you are a Cloudera Enterprise customer and have further questions or need assistance, log a ticket with Cloudera Support through http://support.cloudera.com.

Two links in the Cloudera Manager Admin Console allow read-only access to arbitrary files on managed hosts.

Products affected: Cloudera Manager

Releases affected: Cloudera Manager 3.7.0 through 3.7.6, 4.0.0 (beta), and 4.0.1 (GA)

Users affected: All Cloudera Manager Users

Date vulnerability discovered: June 6, 2012

Date vulnerability analysis and validation complete: June 15, 2012

Severity: Medium

Impact: Any user, including non-admin users, logged in to the Cloudera Manager Admin Console can access any file on any host managed by Cloudera Manager.

Immediate action required:

Solution:

Upgrade to Cloudera Manager or Cloudera Manager Free Edition, version 3.7.7 or later, or version 4.0.2 or later.

Work Around:

If immediate upgrade is not possible, disable non-admin user access to Cloudera Manager to limit the vulnerability to Cloudera Manager admins.

Resolution: June 25th

Addressed in release/refresh/patch: Cloudera Manager or Cloudera Manager Free Edition 3.7.7 or later and 4.0.2 or later

Verification: Check the Cloudera Manager version number in the Help > About dialog box.

If you are a Cloudera Enterprise customer and have further questions or need assistance, log a ticket with Cloudera Support at http://support.cloudera.com.