Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
Date: Thu, 22 Sep 2016 21:42:20 +0000 (UTC)
From: "Andrew Purtell (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.13006315.1474406139000.642825.1474580540561@Atlassian.JIRA>
In-Reply-To: <JIRA.13006315.1474406139000@Atlassian.JIRA>
References: <JIRA.13006315.1474406139000@Atlassian.JIRA> <JIRA.13006315.1474406139647@arcas>
Subject: [jira] [Comment Edited] (HBASE-16662) Fix open POODLE
 vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
archived-at: Thu, 22 Sep 2016 21:42:22 -0000


    [ https://issues.apache.org/jira/browse/HBASE-16662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514560#comment-15514560 ] 

Andrew Purtell edited comment on HBASE-16662 at 9/22/16 9:41 PM:
-----------------------------------------------------------------

Going to commit to all branches. 

For 0.98, in order to avoid POODLE vulnerabilities in the embedded servlets (via InfoServer) it is also necessary to build HBase with a version of Hadoop that has HADOOP-11260, which I think is 2.5.2 or later. The default 0.98 build specifies 2.2.0. I'm sure nobody runs that in production at this point, but we still do that for sake of build compatibility.


was (Author: apurtell):
Going to commit to all branches. 

For 0.98, in order to avoid POODLE vulnerabilities it is also necessary to build HBase with a version of Hadoop that has HADOOP-11260, which I think is 2.5.2 or later. The default 0.98 build specifies 2.2.0. I'm sure nobody runs that in production at this point, but we still do that for sake of build compatibility.

> Fix open POODLE vulnerabilities
> -------------------------------
>
>                 Key: HBASE-16662
>                 URL: https://issues.apache.org/jira/browse/HBASE-16662
>             Project: HBase
>          Issue Type: Bug
>          Components: REST, Thrift
>            Reporter: Ben Lau
>            Assignee: Ben Lau
>         Attachments: HBASE-16662-master.patch
>
>
> We recently found a security issue in our HBase REST servers.  The issue is a variant of the POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE) and is present in the HBase Thrift server as well.  It also appears to affect the JMXListener coprocessor.  The vulnerabilities probably affect all versions of HBase that have the affected services.  (If you don't use the affected services with SSL then this ticket probably doesn't affect you).
> Included is a patch to fix the known POODLE vulnerabilities in master.  Let us know if we missed any.  From our end we only personally encountered the HBase REST vulnerability.  We do not use the Thrift server or JMXListener coprocessor but discovered those problems after discussing the issue with some of the HBase PMCs.
> Coincidentally, Hadoop recently committed a SslSelectChannelConnectorSecure which is more or less the same as one of the fixes in this patch.  Hadoop wasn't originally affected by the vulnerability in the SslSelectChannelConnector, but about a month ago they committed HADOOP-12765 which does use that class, so they added a SslSelectChannelConnectorSecure class similar to this patch.  Since this class is present in Hadoop 2.7.4+ which hasn't been released yet, we will for now just include our own version instead of depending on the Hadoop version.
> After the patch is approved for master we can backport as necessary to older versions of HBase.


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)