Cloudera leaves confidential data exposed

It is Cloudera’s turn to have exposed data by misconfiguring its cloud storage. In this case, the files in question were under the control of Hortonworks, a former competitor of Cloudera acquired by the latter in January 2019 and whose technology is now combined with that of its acquirer. Amid terabytes of files left publicly open, as part of Hortonworks’ contribution to the open-source Apache Hadoop project, were also a series of system identifiers and internal developer information. The issue, spotted and described by cybersecurity firm UpGuard, was reported by Techcrunch.

In a post, UpGuard explains that it found a cloud storage bucket configured for public access at “dev.hortonworks.com.s3.amazonaws.com”. Upon reviewing it, its security experts determined that it may contain sensitive information and reported their discovery to Cloudera on July 27. On August 8, the latter replied that he had investigated the problem and had remedied it, explaining that the S3 buckets remained open to allow downloads, adding that only 3 files, deleted on July 30, potentially contained confidential information . But a few days later, another email reached UpGuard in which Cloudera indicated that it had noticed that a backup of its Jenkins system – used to collaborate and automate the development life cycle – was also among the files accessible in a way. public. This system stored developer usernames and encrypted passwords. Upon verification, UpGuard found that all public access to the bucket dev.hortonworks.com had been deleted. The cybersecurity firm adds that Cloudera has, at the same time, indicated to it that it is interested in any other data exposure details that UpGuard may have observed. “We always appreciate a constructive response like this,” he comments in his post. “Open communication reduces risk and speeds up remediation.”

2.4 GB of text containing only the names of stored files

“This incident illustrates the risks inherent in extremely large cloud storage containers,” UpGuard said. The firm explains that after several hours of recording the names of the files available for download, it had recovered 2.4 GB of text, simply by gathering the names of the files, without any other content. In doing so, UpGuard highlights that the size of these file containers is such that even fully automated processes (download and text search) seem slow, “which gives an idea of ​​how long it would take to manually review them. contents “. Yet within this massive mass of files were credentials that were central to Hortonworks software development.

And UpGuard to recall that Cloudera counts the largest companies among its customers. Hence the vital importance of implementing security practices that prevent data leaks, insists the cybersecurity firm. Reducing response times to discovering misconfigurations exposing data is also paramount, she adds, noting that “it took Cloudera/Hortonworks eleven days to recognize the true severity and extent of the problem. “.