You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Hyukjin Kwon (Jira)" <ji...@apache.org> on 2019/10/08 05:44:20 UTC
[jira] [Resolved] (SPARK-24512) SparkSQL ThriftServer port (ie
10015) supports TLSv1.0
[ https://issues.apache.org/jira/browse/SPARK-24512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hyukjin Kwon resolved SPARK-24512.
----------------------------------
Resolution: Incomplete
> SparkSQL ThriftServer port (ie 10015) supports TLSv1.0
> ------------------------------------------------------
>
> Key: SPARK-24512
> URL: https://issues.apache.org/jira/browse/SPARK-24512
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 2.3.0
> Reporter: t oo
> Priority: Major
> Labels: bulk-closed
>
> THREAT:
> TLS is capable of using a multitude of ciphers (algorithms) to create the public and private key pairs.
> For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
> RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE attack.
> TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which a TLS implementation can downgrade the connection to
> SSL v3.0, thus weakening security.
> A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack could also be launched directly at TLS without negotiating a
> downgrade.
> This QID will be marked as a Fail for PCI as of May 1st, 2017 in accordance with the new standards. For existing implementations, Merchants will
> be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation and Migration Plan, which will result in a pass
> for PCI up until June 30th, 2018.
> Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS v1.1 (https://community.qualys.com/message/34120)
> IMPACT:
> An attacker can exploit cryptographic flaws to conduct man-in-the-middle type attacks or to decryption communications.
> For example: An attacker could force a downgrade from the TLS protocol to the older SSLv3.0 protocol and exploit the POODLE vulnerability, read
> secure communications or maliciously modify messages.
> A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack could also be launched directly at TLS without negotiating a
> downgrade.
> SOLUTION:
> Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
> The following openssl commands can be used
> to do a manual test:
> openssl s_client -connect ip:port -tls1
> If the test is successful, then the target support TLSv1
>
>
> spark-defaults.conf of below applied:
> spark.ssl.enabled true
> spark.ssl.keyStore /home/ec2-user/spark_home/conf/redact.jks
> spark.ssl.trustStore /home/ec2-user/spark_home/conf/redact-trust-nonprd.jks
> spark.ssl.enabledAlgorithms ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> spark.ssl.protocol TLSv1.2
> spark.ssl.trustStoreType JKS
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org