Community
Search Options
Search Options
Log in
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Community
Data Management
Topic groups
Data Management Global
Db2
Db2 for z/OS and its ecosystem
Db2 Tools for z/OS
Informix
Integrated Analytics Systems
Netezza Performance Server
Open Source Offerings
Groups
AI
Automation
Data
Security
Sustainability
Cloud
IBM Z & LinuxONE
Power
Storage
IBM Champions
IBM Japan
All Groups
Champions
User groups
Data Management user groups
All user groups
Events
IBM TechXchange Conference
Upcoming Data Management events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Welcome Corner
Blogging in the Community
Directory
Community Leaders
Resources
Gamification
Marketplace
Marketplace
IBM Data Management Community
Connect with Db2, Informix, Netezza, open source, and other data experts to gain value from your data, share insights, and solve problems.
Ask a question
Missed IBM TechXchange Dev Day: Virtual Agents? On-demand viewing is available
here
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Data Management User Groups
Technical Service Bulletin 2021-371 (Security), repost from Cloudera
View Only
Group Home
Threads
56
Library
48
Blogs
44
Events
0
Members
421
Technical Service Bulletin 2021-371 (Security), repost from Cloudera
0
Like
Tue January 19, 2021 12:04 PM
Lynn Chou
Hue Silently Disables StartTLS in LDAP Connections
There are two mechanisms to secure communication to an LDAP server. One is to use an ‘ldaps’ connection, where all traffic is encrypted inside a TLS tunnel - much like ‘https’. The other is to use ‘StartTLS’, where traffic begins unencrypted in the “ldap” protocol and then upgrades itself to a TLS connection.
If StartTLS is enabled in the Hue configuration but the ‘ldap_cert’ parameter is not configured, then Hue silently disables StartTLS.
StartTLS will not be used for synchronization or import, even if StartTLS is enabled and the ‘ldap_cert’ parameter is set.
The result is that connections that the administrator assumes to be secured, using StartTLS, are not actually secure.
CVE: CVE-2019-19146
Date/time of detection: 22nd March, 2019
Detected by: Ben Gooley, Cloudera
Severity (Low/Medium/High): 8.8 High (
CVSS AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
)
Products affected:
CDH
Releases affected:
CDH 5.x
CDH 6.1.0
CDH 6.1.1
CDH 6.2.0
CDH 6.2.1
CDH 6.3.0
Users affected:
All users who are using StartTLS enabled in the Hue configuration when using LDAP as Authentication Backend to login in Hue.
Impact:
Sensitive data exposure.
Action required:
Upgrade (recommended)
Update to a version of CDH containing the fix.
Workaround
Use “ldaps” instead of “ldap” and StartTLS.
Addressed in release/refresh/patch:
CDH 6.3.1 and above
#Cloudera
#Hadoop
#OpenSourceOfferings
Statistics
0 Favorited
5 Views
0 Files
0 Shares
0 Downloads
Community
Data Management
Topic groups
Data Management Global
Db2
Db2 for z/OS and its ecosystem
Db2 Tools for z/OS
Informix
Integrated Analytics Systems
Netezza Performance Server
Open Source Offerings
Groups
AI
Automation
Data
Security
Sustainability
Cloud
IBM Z & LinuxONE
Power
Storage
IBM Champions
IBM Japan
All Groups
Champions
User groups
Data Management user groups
All user groups
Events
IBM TechXchange Conference
Upcoming Data Management events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Welcome Corner
Blogging in the Community
Directory
Community Leaders
Resources
Gamification
Marketplace
Marketplace
Powered by Higher Logic