Open Source Databases

 View Only

Cloudera Technical Service Bulletin 2021-434 (TSB)

  • 1.  Cloudera Technical Service Bulletin 2021-434 (TSB)

    Posted Tue January 19, 2021 11:50 AM
    Edited by System Test Fri January 20, 2023 04:18 PM

    Load Balancing Provider Fails to invalidate Cache on Key Delete

    The KMS Load balancing Provider has not been correctly invalidating the cache on key delete operations. The failure to invalidate the cache on key delete operations can result in the possibility that data can be leaked from the framework for a short period of time based on the value of the property. Its default value is 30,000ms. When the KMS is deployed in an HA pattern the KMSLoadBalancingProvider class will only send the delete operation to one KMS role instance in a round-robin fashion. The code lacks a call to invalidate the cache across all instances and can leave key information including the metadata and key stored (the deleted key) in the cache on one or more KMS instances up to the key cache timeout.


    • HADOOP-17208
    • HADOOP-17304

    Products affected: 

    • CDH
    • HDP
    • CDP

    Releases affected: 

    • CDH 5.x
    • CDH 6.x
    • CDP 7.0.x
    • CDP 7.1.4 and earlier
    • HDP 2.6 and later

    Users affected: 

    • Customers with Data-at-rest encryption enabled that have more than 1 kms role instance and the services Key Cache enabled.


    • Key Meta-data and Key material may remain active within the service cache.


    • Medium

     Action required:

    • CDH customers: Upgrade to CDP 7.1.5 or request a patch
    • HDP customers: Request a patch

    Lynn Chou
    Offering Manager, Cloudera Partnership