hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Marc Spaggiari <jean-m...@spaggiari.org>
Subject Re: CVE-2013-2193: Apache HBase Man in the Middle Vulnerability
Date Sat, 24 Aug 2013 11:25:58 GMT
Hi Asif,

Here is the announcement on the Cloudera WebSite:
http://www.cloudera.com/content/cloudera-content/cloudera-docs/SecurityBulletins/3.25.2013/Security-Bulletin/csb_topic_1.html?scroll=topic_1

And CDH 4.3.1 has been released to fix that and is available there:
https://www.cloudera.com/content/support/en/downloads.html

JM

2013/8/24 Asaf Mesika <asaf.mesika@gmail.com>

> Any Cloudera release for that as well?
>
> On Saturday, August 24, 2013, Aaron T. Myers wrote:
>
> > Hello,
> >
> > Please see below for the official announcement of a serious security
> > vulnerability which has been discovered and subsequently fixed in Apache
> > HBase releases.
> >
> > Best,
> > Aaron
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > CVE-2013-2193: Apache HBase Man in the Middle Vulnerability
> >
> > Severity: Severe
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected:
> > All versions of HBase 0.92.x prior to 0.92.3.
> > All versions of HBase 0.94.x prior to 0.94.9.
> >
> > Users affected: Users who have enabled HBase's Kerberos security features
> > and who run HBase co-located on a cluster with Hadoop MapReduce or Hadoop
> > YARN.
> >
> > Impact: RPC traffic from clients to Region Servers may be intercepted by
> a
> > malicious user with access to run tasks or containers on a cluster.
> >
> > Description:
> > The Apache HBase RPC protocol is intended to provide bidirectional
> > authentication between clients and servers. However, a malicious server
> or
> > network attacker can unilaterally disable these authentication checks.
> This
> > allows for potential reduction in the configured quality of protection of
> > the RPC traffic, and privilege escalation if authentication credentials
> are
> > passed over RPC.
> >
> > Mitigation:
> > Users of HBase 0.92.x versions prior to 0.92.3 should immediately upgrade
> > to 0.92.3 when it becomes available, or to 0.94.9 or later.
> > Users of HBase 0.94.x versions prior to 0.94.9 should immediately upgrade
> > to 0.94.9 or later.
> >
> > Credit: This issue was discovered by Kyle Leckie of Microsoft and Aaron
> T.
> > Myers of Cloudera.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> >
> > iQEcBAEBAgAGBQJSF85nAAoJECEaGfB4kTjfDg0IAIDG+1DJJCKCS74WzB4kJzCg
> > 9eTqSiucDl/fKmx1lMEem/yU2tpqWU7TfRY3p1d2PC8akyvp0JCLQliYsNOokRRT
> > Hz3gvSqSvTT4zWkeFgQ6qNe+amJeiBDrU1m8IbLvrlZqU8tVe3AT+fj13bv1RdaK
> > Z4o8QJonmdDIZqU9i/ss1eXTUyIlPlHilzcprl80cN5VoBhtgeh7vdGQYnUBn20E
> > 6X0B8ffQ2UoGBJC4JJRmESZIwTnYt/b7453rD82mEUtqIxAHcVr6dfHd07zecp8G
> > Ae4zOuNumBb13SfCib7+da1i02ujR2WKx7M6ju+5E5VLQYiLKSKse+TDS6ruZDw=
> > =sqcf
> > -----END PGP SIGNATURE-----
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message