Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5CE83200B99 for ; Tue, 20 Sep 2016 23:22:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 5B8FC160AC0; Tue, 20 Sep 2016 21:22:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9AA39160AC5 for ; Tue, 20 Sep 2016 23:22:21 +0200 (CEST) Received: (qmail 56830 invoked by uid 500); 20 Sep 2016 21:22:20 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 56778 invoked by uid 99); 20 Sep 2016 21:22:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Sep 2016 21:22:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 890782C2A60 for ; Tue, 20 Sep 2016 21:22:20 +0000 (UTC) Date: Tue, 20 Sep 2016 21:22:20 +0000 (UTC) From: "Ben Lau (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HBASE-16662) Fix open POODLE vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 20 Sep 2016 21:22:22 -0000 [ https://issues.apache.org/jira/browse/HBASE-16662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ben Lau updated HBASE-16662: ---------------------------- Attachment: HBASE-16662-master.patch > Fix open POODLE vulnerabilities > ------------------------------- > > Key: HBASE-16662 > URL: https://issues.apache.org/jira/browse/HBASE-16662 > Project: HBase > Issue Type: Bug > Components: REST, Thrift > Reporter: Ben Lau > Assignee: Ben Lau > Attachments: HBASE-16662-master.patch > > > We recently found a security issue in our HBase REST servers. The issue is a variant of the POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE) and is present in the HBase Thrift server as well. It also appears to affect the JMXListener coprocessor. The vulnerabilities probably affect all versions of HBase that have the affected services. (If you don't use the affected services with SSL then this ticket probably doesn't affect you). > Included is a patch to fix the known POODLE vulnerabilities in master. Let us know if we missed any. From our end we only personally encountered the HBase REST vulnerability. We do not use the Thrift server or JMXListener coprocessor but discovered those problems after discussing the issue with some of the HBase PMCs. > Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure which is more or less the same as one of the fixes in this patch. Hadoop wasn't originally affected by the vulnerability in the SslSelectChannelConnector, but about a month ago they committed HADOOP-12765 which does use that class, so they added a SslSelectChannelConnectorSecure class similar to this patch. Since this class is present in Hadoop 2.7.4+ which hasn't been released yet, we will for now just include our own version instead of depending on the Hadoop version. > After the patch is approved for master we can backport as necessary to older versions of HBase. -- This message was sent by Atlassian JIRA (v6.3.4#6332)