Technical Service Bulletin 2021-434 (TSB), repost from Cloudera

 View Only

Technical Service Bulletin 2021-434 (TSB), repost from Cloudera 

Tue January 19, 2021 11:43 AM

Technical Service Bulletin 2021-434 (TSB)

Load Balancing Provider Fails to invalidate Cache on Key Delete

The KMS Load balancing Provider has not been correctly invalidating the cache on key delete operations. The failure to invalidate the cache on key delete operations can result in the possibility that data can be leaked from the framework for a short period of time based on the value of the property. Its default value is 30,000ms. When the KMS is deployed in an HA pattern the KMSLoadBalancingProvider class will only send the delete operation to one KMS role instance in a round-robin fashion. The code lacks a call to invalidate the cache across all instances and can leave key information including the metadata and key stored (the deleted key) in the cache on one or more KMS instances up to the key cache timeout.


  • HADOOP-17208
  • HADOOP-17304

Products affected: 

  • CDH
  • HDP
  • CDP

Releases affected: 

  • CDH 5.x
  • CDH 6.x
  • CDP 7.0.x
  • CDP 7.1.4 and earlier
  • HDP 2.6 and later

Users affected: 

  • Customers with Data-at-rest encryption enabled that have more than 1 kms role instance and the services Key Cache enabled.


  • Key Meta-data and Key material may remain active within the service cache.


  • Medium

 Action required:

  • CDH customers: Upgrade to CDP 7.1.5 or request a patch
  • HDP customers: Request a patch




0 Favorited
0 Files