Hadoop漏洞修复
CVE-2021-33036: Hadoop YARN REST API 未授权访问导致远程代码执行漏洞
Cluster Overview 未授权访问漏洞
Hadoop 未授权访问漏洞
修复方法1
修复方法1
1、进入hadoop配置文件目录,创建密钥文件 cd /home/flink/hadoop-3.3.2/etc/hadoop echo "hadoop" > hadoop-http-auth-signature-secret 2、备份core-site.xml文件,在配置文件configuration块中添加如下配置项,hadoop.http.authentication.signature.secret.file配置对应密钥文件路径是否完整可访问到。 <configuration> <property> <name>hadoop.http.filter.initializers</name> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value> </property> <property> <name>hadoop.http.authentication.type</name> <value>simple</value> </property> <property> <name>hadoop.http.authentication.token.validity</name> <value>3600</value> </property> <property> <name>hadoop.http.authentication.signature.secret.file</name> <value>/home/flink/hadoop-3.3.2/etc/hadoop/hadoop-http-auth-signature-secret</value> </property> <property> <name>hadoop.http.authentication.cookie.domain</name> <value></value> </property> <property> <name>hadoop.http.authentication.simple.anonymous.allowed</name> <value>false</value> </property> </configuration>
修复方法2
下载jersey-server-1.19.jar
#公司内网下载 wget http://10.130.36.117/Deploymentpackage/jersey-server-1.19.jar CSDN地址下载:https://download.csdn.net/download/zhao138969/89487778
修改方法2
1、#备份原有jersey-server-1.19.jar文件 cd /home/flink/hadoop-3.3.2/share/hadoop/common/lib/ mv jersey-server-1.19.jar jersey-server-1.19.jar_bak cd /home/flink/hadoop-3.3.2/share/hadoop/hdfs/lib/ mv jersey-server-1.19.jar jersey-server-1.19.jar_bak 2、上传加固的jersey-server-1.19.jar到对应目录下 cd /home/flink/hadoop-3.3.2/share/hadoop/common/lib/ rz -be jersey-server-1.19.jar cd /home/flink/hadoop-3.3.2/share/hadoop/hdfs/lib/ rz -be jersey-server-1.19.jar
重启Hadoop集群
stop-dfs.sh start-dfs.sh
验证方法
#在浏览器中进行访问 http://ip:50070 #出现错误 http://ip:50070?user.name=hadoop #访问正确
Flink漏洞修复
Apache Flink任意 Jar 包上传导致远程代码执行漏洞
Apache Flink未授权访问漏洞
修改方法
修改方法
1、创建cer目录然后,生产证书。 cd /home/flink/flink-1.15.2/conf/cer #创建证书,密码并设置为Ccod@2024 keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA" -storepass ca_keystore_password -keypass ca_key_password -keyalg RSA -keysize 4096 -ext "bc=ca:true" keytool -exportcert -keystore ca.keystore -alias ca -storepass ca_keystore_password -file ca.cer keytool -importcert -keystore ca.truststore -alias ca -storepass Ccod@2024 -file ca.cer -noprompt keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname "CN=flink.company.org" -ext "SAN=dns:flink.company.org" -storepass Ccod@2024 -keypass Ccod@2024 -keyalg RSA -keysize 4096 keytool -certreq -alias flink.rest -keystore rest.signed.keystore -storepass Ccod@2024 -keypass Ccod@2024 -file rest.csr keytool -gencert -alias ca -keystore ca.keystore -storepass ca_keystore_password -keypass ca_key_password -ext "SAN=dns:flink.company.org,10.130.47.192" -infile rest.csr -outfile rest.cer keytool -importcert -keystore rest.signed.keystore -storepass Ccod@2024 -file ca.cer -alias ca -noprompt keytool -importcert -keystore rest.signed.keystore -storepass Ccod@2024 -keypass Ccod@2024 -file rest.cer -alias flink.rest -noprompt 2、 修改flink配置文件 cp flink-conf.yaml flink-conf.yaml_bak vim flink-conf.yaml #以下配置项 security.ssl.rest.authentication-enabled: false security.ssl.internal.enabled: false security.ssl.verify-hostname: false security.ssl.rest.enabled: true security.ssl.rest.keystore: /home/flink/flink-1.15.2/conf/cer/rest.signed.keystore security.ssl.rest.truststore: /home/flink/flink-1.15.2/conf/cer/ca.truststore security.ssl.rest.key-password: Ccod@2024 security.ssl.rest.truststore-password: Ccod@2024 security.ssl.rest.keystore-password: Ccod@2024 web.submit.enabled: false web.cancel.enabled: false jobmanager.web.submit.enable: false #该配置项配置上后,则无法通过web页面提交jar任务,只有通过命令来启动job任务。 3、重启flink start-cluster.sh stop-cluster.sh 4、命令行启动flink job task flink run -d -c com.channelsoft.flinkstatics.job.ServiceDetailJob -p 3 ./flink-statics-1.1.1.3-SNAPSHOT-jar-with-dependencies.jar -zookeeper 10.130.47.192:2181 5、登录flink https:ip/8180端口
