Hue Silently Disables StartTLS in LDAP Connections
There are two mechanisms to secure communication to an LDAP server. One is to use an 'ldaps' connection, where all traffic is encrypted inside a TLS tunnel - much like 'https'. The other is to use 'StartTLS', where traffic begins unencrypted in the "ldap" protocol and then upgrades itself to a TLS connection.
If StartTLS is enabled in the Hue configuration but the 'ldap_cert' parameter is not configured, then Hue silently disables StartTLS.
StartTLS will not be used for synchronization or import, even if StartTLS is enabled and the 'ldap_cert' parameter is set.
The result is that connections that the administrator assumes to be secured, using StartTLS, are not actually secure.
CVE: CVE-2019-19146
Date/time of detection: 22nd March, 2019
Detected by: Ben Gooley, Cloudera
Products affected:
Releases affected:
- CDH 5.x
- CDH 6.1.0
- CDH 6.1.1
- CDH 6.2.0
- CDH 6.2.1
- CDH 6.3.0
Users affected:
- All users who are using StartTLS enabled in the Hue configuration when using LDAP as Authentication Backend to login in Hue.
Impact:
Action required:
Upgrade (recommended)
Update to a version of CDH containing the fix.
Workaround
Use "ldaps" instead of "ldap" and StartTLS.
Addressed in release/refresh/patch:
https://community.ibm.com/community/user/hybriddatamanagement/viewdocument/technical-service-bulletin-2021-371?CommunityKey=99c4cc7a-4544-406c-b1b2-b74f2fcf3cba&tab=librarydocuments------------------------------
Lynn Chou
Offering Manager, Cloudera Partnership
IBM
------------------------------
#OpenSourceOfferings