Cloudera Manager through 5.15 Improper Access Control Vulnerability

Summary

Cloudera Manager through 5.15 has Incorrect Access Control Vulnerability.

Credit:

The information has been provided by Vendor

The original article can be found at:

https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#cloudera_manager


Details

The ZooKeeper service optionally exposes a JMX port used for reporting and metrics. By default, Cloudera Manager enables this port, but prior to Cloudera Manager 6.1.0, it did not support mutual TLS authentication on this connection. While JMX has a password-based authentication mechanism that Cloudera Manager enables by default, weaknesses have been found in the authentication mechanism, and Oracle now advises JMX connections to enable mutual TLS authentication in addition to password-based authentication. A successful attack may leak data, cause denial of service, or even allow arbitrary code execution on the Java process that exposes a JMX port. Starting in Cloudera Manager 6.1.0, it is possible to configure mutual TLS authentication on ZooKeeper’s JMX port.

Vulnerable Systems:

Cloudera Manager 6.1.0 and lower

Cloudera Manager 5.16 and lower

CVE Information:

CVE-2014-11744

Disclosure Timeline:
Published Date:07/16/2019

Categories: News