hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16662) Fix open POODLE vulnerabilities
Date Fri, 23 Sep 2016 11:36:22 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15516195#comment-15516195
] 

Hudson commented on HBASE-16662:
--------------------------------

FAILURE: Integrated in Jenkins build HBase-1.1-JDK8 #1870 (See [https://builds.apache.org/job/HBase-1.1-JDK8/1870/])
HBASE-16662 Fix open POODLE vulnerabilities (apurtell: rev 97ce640f5d71cc10828a7895298e2bbb482b1068)
* (edit) hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java
* (add) hbase-server/src/main/java/org/apache/hadoop/hbase/SslRMIClientSocketFactorySecure.java
* (edit) hbase-server/src/main/java/org/apache/hadoop/hbase/JMXListener.java
* (edit) hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
* (add) hbase-server/src/main/java/org/apache/hadoop/hbase/SslRMIServerSocketFactorySecure.java
* (add) hbase-server/src/main/java/org/apache/hadoop/hbase/jetty/SslSelectChannelConnectorSecure.java


> Fix open POODLE vulnerabilities
> -------------------------------
>
>                 Key: HBASE-16662
>                 URL: https://issues.apache.org/jira/browse/HBASE-16662
>             Project: HBase
>          Issue Type: Bug
>          Components: REST, Thrift
>            Reporter: Ben Lau
>            Assignee: Ben Lau
>             Fix For: 2.0.0, 1.3.0, 1.4.0, 1.1.7, 0.98.23, 1.2.4
>
>         Attachments: HBASE-16662-master.patch
>
>
> We recently found a security issue in our HBase REST servers.  The issue is a variant
of the POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE) and is present in the HBase
Thrift server as well.  It also appears to affect the JMXListener coprocessor.  The vulnerabilities
probably affect all versions of HBase that have the affected services.  (If you don't use
the affected services with SSL then this ticket probably doesn't affect you).
> Included is a patch to fix the known POODLE vulnerabilities in master.  Let us know if
we missed any.  From our end we only personally encountered the HBase REST vulnerability.
 We do not use the Thrift server or JMXListener coprocessor but discovered those problems
after discussing the issue with some of the HBase PMCs.
> Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure which is
more or less the same as one of the fixes in this patch.  Hadoop wasn't originally affected
by the vulnerability in the SslSelectChannelConnector, but about a month ago they committed
HADOOP-12765 which does use that class, so they added a SslSelectChannelConnectorSecure class
similar to this patch.  Since this class is present in Hadoop 2.7.4+ which hasn't been released
yet, we will for now just include our own version instead of depending on the Hadoop version.
> After the patch is approved for master we can backport as necessary to older versions
of HBase.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message