-Re: CVE-2013-2193: Apache HBase Man in the Middle Vulnerability
Asaf Mesika 2013-08-24, 07:50
Any Cloudera release for that as well?
On Saturday, August 24, 2013, Aaron T. Myers wrote:
> Please see below for the official announcement of a serious security
> vulnerability which has been discovered and subsequently fixed in Apache
> HBase releases.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> CVE-2013-2193: Apache HBase Man in the Middle Vulnerability
> Severity: Severe
> Vendor: The Apache Software Foundation
> Versions Affected:
> All versions of HBase 0.92.x prior to 0.92.3.
> All versions of HBase 0.94.x prior to 0.94.9.
> Users affected: Users who have enabled HBase's Kerberos security features
> and who run HBase co-located on a cluster with Hadoop MapReduce or Hadoop
> Impact: RPC traffic from clients to Region Servers may be intercepted by a
> malicious user with access to run tasks or containers on a cluster.
> The Apache HBase RPC protocol is intended to provide bidirectional
> authentication between clients and servers. However, a malicious server or
> network attacker can unilaterally disable these authentication checks. This
> allows for potential reduction in the configured quality of protection of
> the RPC traffic, and privilege escalation if authentication credentials are
> passed over RPC.
> Users of HBase 0.92.x versions prior to 0.92.3 should immediately upgrade
> to 0.92.3 when it becomes available, or to 0.94.9 or later.
> Users of HBase 0.94.x versions prior to 0.94.9 should immediately upgrade
> to 0.94.9 or later.
> Credit: This issue was discovered by Kyle Leckie of Microsoft and Aaron T.
> Myers of Cloudera.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Ae4zOuNumBb13SfCib7+da1i02ujR2WKx7M6ju+5E5VLQYiLKSKse+TDS6ruZDw> =sqcf
> -----END PGP SIGNATURE-----