All Cloudera Product Issues
Heartbleed Vulnerability in OpenSSL
The Heartbleed vulnerability is a serious vulnerability in OpenSSL as described at http://heartbleed.com/ (OpenSSL TLS heartbeat read overrun, CVE-2014-0160). Cloudera products do not ship with OpenSSL, but some components use this library. Customers using OpenSSL with Cloudera products need to update their OpenSSL library to one that doesn’t contain the vulnerability.
- All versions of OpenSSL 1.0.1 prior to 1.0.1g
- Hadoop Pipes uses OpenSSL.
- If SSL encryption is enabled for Impala's RPC implementation (by setting --ssl_server_certificate). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
- If HTTPS is enabled for Impala’s debug web server pages (by setting --webserver_certificate_file). This applies to any of the three Impala demon processes: impalad, catalogd and statestored.
- If HTTPS is used with Hue.
- Cloudera Manager agents, with TLS turned on, will use OpenSSL.
- All users of the above scenarios.
Severity: High (If using the scenarios above)
- Ensure your Linux distribution version does not have the vulnerability.