14 DAY TRIAL // An important vulnerability in Apache HBase can be exploited by a remote attacker with network access to the ZooKeeper quorum to deny access to the data store, without the need to be authenticated.
A threat actor logged into the network could also leverage the security flaw for more damaging activity, like accessing information or possibly modifying it.
HBase is a Java-based open source management system for big data stored across a large number of servers, which is part of the Hadoop software library.
Attacker may be able to alter HBase data
Tracked as CVE-2015-1836, the security vulnerability stems from a logical error that causes HBase in most secure configuration deployments to process coordination of the data via ZooKeeper by using insecure Access Control Lists (ACLs).
This behavior leads to the possibility of creating a denial-of-service (DoS) condition and reading newly written HBase information not intended to normal users.
“We believe it is possible for any user with authentication credentials for the underlying HDFS cluster to write arbitrary HBase data,” reads the security advisory on Monday, adding that this possibility was not confirmed.
New HBase versions available
The affected versions of the product are 0.98.0 through 0.98.12, 1.0.0 through 1.0.1, and 1.1.0.
Apache rolled out new releases (0.98.12.1, 1.0.1.1, 1.1.0.1) that include a hotfix for the issue and advises users to update as soon as possible. The developer warns that version 0.96, which is no longer supported, is also impacted and should be replaced.
The patch consists in ensuring that the newly written coordination information benefits from the correct ACLs.
Administrators should be aware that the bug may hide some configuration errors and HBase deployments should be checked before initiating the upgrade process.
The security advisory also provides a list of ZooKeeper commands that must be run in sequence via the command line interface to ensure the proper ACLs.