Bug 1293842 (CVE-2015-1836)

Summary: CVE-2015-1836 Apache HBase: insecure ACLs in ZooKeeper
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, aileenc, chazlett, coolsvap, dmcphers, gvarsami, jcoleman, jialiu, jokerman, ldimaggi, lmeyer, mmccomas, moceap, nwallace, rwagner, soa-p-jira, tcunning, tiwillia, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: HBase 0.98.12.1, HBase 1.0.1.1, HBase 1.1.0.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:49:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1293843    
Bug Blocks: 1293845    

Description Martin Prpič 2015-12-23 09:23:18 UTC 
A flaw was found in Apache HBase:

A logic error caused HBase in most secure configuration deployments to handle its coordination state in ZooKeeper via insecure ACLs. Anyone with remote unauthenticated network access to the ZooKeeper quorum, which by definition includes all HBase clients, can make use of this opening to degrade or completely stop availability. Any user with the authentication credentials needed to connect to the HBase cluster as a normal user can, in some configurations, read newly written HBase data that they are not authorized to see. We believe it is possible for any user with authentication credentials for the underlying HDFS cluster to write arbitrary HBase data. Work to confirm this last attack vector is ongoing and this announcement will be updated when we have more information.

External References:

https://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg@mail.gmail.com%3E
Comment 1 Martin Prpič 2015-12-23 09:23:59 UTC 
Created hbase tracking bugs for this issue:

Affects: fedora-all [bug 1293843]