Apache HBase Fixes Flaws

Wednesday, May 27, 2015 @ 04:05 PM gHale


A remote attacker can take advantage of an Apache HBase vulnerability by gaining network access to the ZooKeeper quorum to deny access to the data store.

An attacker logged into the network could also use the security flaw for more damaging activity, researchers said. HBase is a Java-based open source management system for big data stored across a large number of servers, which is part of the Hadoop software library.

RELATED STORIES
Apache Hive Fixes Vulnerability
PuTTY Malware Steals Credentials
Apache Fixes Security Manager Hole
Apache Fixes Message Broker Software

Tracked as CVE-2015-1836, the security vulnerability stems from a logical error that causes HBase in most secure configuration deployments to process coordination of the data via ZooKeeper by using insecure Access Control Lists (ACLs).

This could lead to the possibility of creating a denial-of-service (DoS) condition and reading newly written HBase information not intended to normal users.

“We believe it is possible for any user with authentication credentials for the underlying HDFS cluster to write arbitrary HBase data,” the security advisory said.

The affected versions of the product are 0.98.0 through 0.98.12, 1.0.0 through 1.0.1, and 1.1.0.

Apache rolled out new releases (0.98.12.1, 1.0.1.1, 1.1.0.1) that include a hotfix for the issue and advises users to update as soon as possible. The developer warns that version 0.96, which is no longer supported, also suffers from the issue and users should replace it.

The patch consists in ensuring the newly written coordination information benefits from the correct ACLs.

The security advisory also provides a list of ZooKeeper commands that must run in sequence via the command line interface to ensure the proper ACLs.



Leave a Reply

You must be logged in to post a comment.