Bug 1293842 - (CVE-2015-1836) CVE-2015-1836 Apache HBase: insecure ACLs in ZooKeeper
CVE-2015-1836 Apache HBase: insecure ACLs in ZooKeeper
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1293843
Blocks: 1293845
  Show dependency treegraph
Reported: 2015-12-23 04:23 EST by Martin Prpič
Modified: 2018-06-29 18:06 EDT (History)
20 users (show)

See Also:
Fixed In Version: HBase, HBase, HBase
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-12-23 04:23:18 EST
A flaw was found in Apache HBase:

A logic error caused HBase in most secure configuration deployments to handle its coordination state in ZooKeeper via insecure ACLs. Anyone with remote unauthenticated network access to the ZooKeeper quorum, which by definition includes all HBase clients, can make use of this opening to degrade or completely stop availability. Any user with the authentication credentials needed to connect to the HBase cluster as a normal user can, in some configurations, read newly written HBase data that they are not authorized to see. We believe it is possible for any user with authentication credentials for the underlying HDFS cluster to write arbitrary HBase data. Work to confirm this last attack vector is ongoing and this announcement will be updated when we have more information.

External References:

Comment 1 Martin Prpič 2015-12-23 04:23:59 EST
Created hbase tracking bugs for this issue:

Affects: fedora-all [bug 1293843]

Note You need to log in before you can comment on or make changes to this bug.