------------------------------------------------------------------------------------------
Technical Service Bulletin 2014-28 (TSB)

Title: Security Vulnerability: Sensitive Configuration Values Exposed in
Cloudera Manager
Certain configuration values that are stored in Cloudera Manager are
considered 'sensitive', such as database passwords. These configuration
values are expected to be inaccessible to non-admin users, and this is
enforced in the Cloudera Manager Admin Console. However, these
configuration values are not redacted when reading them through the API,
possibly making them accessible to users who should not have such access.

Products affected: Cloudera Manager

Releases affected: Cloudera Manager 4.8.2 and lower, Cloudera Manager 5.0.0

Users Affected: Cloudera Manager installations with non-admin users

Date/time of detection: May 7, 2014

Severity: High

Impact: Through the API only, non-admin users can access potentially
sensitive configuration information

CVE: CVE-2014-0220

Immediate action required:

See the following knowledge base article:

Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera
Manager

ETA for resolution: May 13, 2014

Addressed in release/refresh/patch: Cloudera Manager 4.8.3 and 5.0.1
------------------------------------------------------------------------------------------