Technical Service Bulletin 2021-371 (Security), repost from Cloudera

 View Only

Technical Service Bulletin 2021-371 (Security), repost from Cloudera 

Tue January 19, 2021 12:04 PM

Hue Silently Disables StartTLS in LDAP Connections

There are two mechanisms to secure communication to an LDAP server. One is to use an ‘ldaps’ connection, where all traffic is encrypted inside a TLS tunnel - much like ‘https’.  The other is to use ‘StartTLS’, where traffic begins unencrypted in the “ldap” protocol and then upgrades itself to a TLS connection.
If StartTLS is enabled in the Hue configuration but the ‘ldap_cert’ parameter is not configured, then Hue silently disables StartTLS.  
StartTLS will not be used for synchronization or import, even if StartTLS is enabled and the ‘ldap_cert’ parameter is set.
The result is that connections that the administrator assumes to be secured, using StartTLS, are not actually secure.

CVE: CVE-2019-19146

Date/time of detection: 22nd March, 2019

Detected by: Ben Gooley, Cloudera

Severity (Low/Medium/High):  8.8 High (CVSS AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Products affected: 

  • CDH

Releases affected:

  • CDH 5.x
  • CDH 6.1.0
  • CDH 6.1.1 
  • CDH 6.2.0
  • CDH 6.2.1 
  • CDH 6.3.0

Users affected: 

  • All users who are using StartTLS enabled in the Hue configuration when using LDAP as Authentication Backend to login in Hue. 


  • Sensitive data exposure.

Action required:

Upgrade (recommended)
Update to a version of CDH containing the fix.
Use “ldaps” instead of “ldap” and StartTLS.

Addressed in release/refresh/patch:    

  • CDH 6.3.1 and above



0 Favorited
0 Files