hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Lau (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-16662) Fix open POODLE vulnerabilities
Date Tue, 20 Sep 2016 21:16:20 GMT
Ben Lau created HBASE-16662:

             Summary: Fix open POODLE vulnerabilities
                 Key: HBASE-16662
                 URL: https://issues.apache.org/jira/browse/HBASE-16662
             Project: HBase
          Issue Type: Bug
          Components: REST, Thrift
            Reporter: Ben Lau
            Assignee: Ben Lau

We recently found a security issue in our HBase REST servers.  The issue is a variant of the
POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE) and is present in the HBase Thrift
server as well.  It also appears to affect the JMXListener coprocessor.  The vulnerabilities
probably affect all versions of HBase that have the affected services.  (If you don't use
the affected services with SSL then this ticket probably doesn't affect you).

Included is a patch to fix the known POODLE vulnerabilities in master.  Let us know if we
missed any.  From our end we only personally encountered the HBase REST vulnerability.  We
do not use the Thrift server or JMXListener coprocessor but discovered those problems after
discussing the issue with some of the HBase PMCs.

Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure which is more
or less the same as one of the fixes in this patch.  Hadoop wasn't originally affected by
the vulnerability in the SslSelectChannelConnector, but about a month ago they committed HADOOP-12765
which does use that class, so they added a SslSelectChannelConnectorSecure class similar to
this patch.  Since this class is present in Hadoop 2.7.4+ which hasn't been released yet,
we will for now just include our own version instead of depending on the Hadoop version.

After the patch is approved for master we can backport as necessary to older versions of HBase.

This message was sent by Atlassian JIRA

View raw message