A flaw was found in Apache HBase: A logic error caused HBase in most secure configuration deployments to handle its coordination state in ZooKeeper via insecure ACLs. Anyone with remote unauthenticated network access to the ZooKeeper quorum, which by definition includes all HBase clients, can make use of this opening to degrade or completely stop availability. Any user with the authentication credentials needed to connect to the HBase cluster as a normal user can, in some configurations, read newly written HBase data that they are not authorized to see. We believe it is possible for any user with authentication credentials for the underlying HDFS cluster to write arbitrary HBase data. Work to confirm this last attack vector is ongoing and this announcement will be updated when we have more information. External References: https://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg@mail.gmail.com%3E
Created hbase tracking bugs for this issue: Affects: fedora-all [bug 1293843]