Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase >> mail # dev >> CVE-2013-2193: Apache HBase Man in the Middle Vulnerability


Copy link to this message
-
Re: CVE-2013-2193: Apache HBase Man in the Middle Vulnerability
Any Cloudera release for that as well?

On Saturday, August 24, 2013, Aaron T. Myers wrote:

> Hello,
>
> Please see below for the official announcement of a serious security
> vulnerability which has been discovered and subsequently fixed in Apache
> HBase releases.
>
> Best,
> Aaron
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2013-2193: Apache HBase Man in the Middle Vulnerability
>
> Severity: Severe
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> All versions of HBase 0.92.x prior to 0.92.3.
> All versions of HBase 0.94.x prior to 0.94.9.
>
> Users affected: Users who have enabled HBase's Kerberos security features
> and who run HBase co-located on a cluster with Hadoop MapReduce or Hadoop
> YARN.
>
> Impact: RPC traffic from clients to Region Servers may be intercepted by a
> malicious user with access to run tasks or containers on a cluster.
>
> Description:
> The Apache HBase RPC protocol is intended to provide bidirectional
> authentication between clients and servers. However, a malicious server or
> network attacker can unilaterally disable these authentication checks. This
> allows for potential reduction in the configured quality of protection of
> the RPC traffic, and privilege escalation if authentication credentials are
> passed over RPC.
>
> Mitigation:
> Users of HBase 0.92.x versions prior to 0.92.3 should immediately upgrade
> to 0.92.3 when it becomes available, or to 0.94.9 or later.
> Users of HBase 0.94.x versions prior to 0.94.9 should immediately upgrade
> to 0.94.9 or later.
>
> Credit: This issue was discovered by Kyle Leckie of Microsoft and Aaron T.
> Myers of Cloudera.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEcBAEBAgAGBQJSF85nAAoJECEaGfB4kTjfDg0IAIDG+1DJJCKCS74WzB4kJzCg
> 9eTqSiucDl/fKmx1lMEem/yU2tpqWU7TfRY3p1d2PC8akyvp0JCLQliYsNOokRRT
> Hz3gvSqSvTT4zWkeFgQ6qNe+amJeiBDrU1m8IbLvrlZqU8tVe3AT+fj13bv1RdaK
> Z4o8QJonmdDIZqU9i/ss1eXTUyIlPlHilzcprl80cN5VoBhtgeh7vdGQYnUBn20E
> 6X0B8ffQ2UoGBJC4JJRmESZIwTnYt/b7453rD82mEUtqIxAHcVr6dfHd07zecp8G
> Ae4zOuNumBb13SfCib7+da1i02ujR2WKx7M6ju+5E5VLQYiLKSKse+TDS6ruZDw> =sqcf
> -----END PGP SIGNATURE-----
>