CVE-2018-6185

Name of the Vulnerable Software and Affected Versions: Cloudera Navigator Key Trustee KMS versions 5.12.0 through 5.13.0

Description: The issue arises from incorrect default ACL values in Cloudera Navigator Key Trustee KMS, allowing remote access to purge and undelete API calls on encryption zone keys. The KMS includes two API calls: purge and undelete, with ACL values keytrustee.kms.acl.PURGE and keytrustee.kms.acl.UNDELETE. The default ACL value of "*" enables anyone with knowledge of an encryption zone key's name and network access to the Key Trustee KMS to make these calls, potentially recovering deleted keys or deleting keys in active use, resulting in loss of access to encrypted HDFS data.

Recommendations: For Cloudera Navigator Key Trustee KMS versions 5.12.0 through 5.13.0, consider restricting access to the keytrustee.kms.acl.PURGE and keytrustee.kms.acl.UNDELETE ACLs to prevent unauthorized API calls. As a temporary workaround, restrict network access to the Key Trustee KMS to minimize the risk of exploitation. Avoid using the default ACL value "*" for keytrustee.kms.acl.PURGE and keytrustee.kms.acl.UNDELETE to prevent unauthorized access to encryption zone keys.