Vulnerability in the Commons Collections Library Used by HBase

This section describes a security issue in the Common Collections Library that HBase uses.

Vulnerability A potential security vulnerability exists in a third-party library called Apache Commons Collections. This library is used in products distributed and supported by MapR, including MapR releases of HBase.
Details Unprivileged users can attack an HBase installation by capturing valid RPC payloads, rewrite them to embed an exploit, and replay them to trigger a remote command execution with the privileges of the account under which the HBase RegionServer daemon is running. See also HBASE-14799 and this article.
Products Affected HBase 0.94.24, which is supported on MapR Versions 4.0.1 and 3.x. This vulnerability also affects HBase 0.98.x.

The commons-collections library is also used by Hadoop, and the same issue is fixed in MapR Version 5.1 via a backport of HADOOP-12577 to Hadoop 2.7. However, this problem is much less severe in Hadoop because Hadoop itself does not use any of the unsafe classes.

Impact This vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.
Severity Critical
Bug Tracking MapR bug 22346; see also HBASE-14799
Immediate Action Required Customers should download the MapR 1602 version of HBase from package.mapr.com/releases or request it from support@mapr.com
Patch The 1602 ecosystem release from MapR contains patches for this vulnerability for HBase 94 and HBase 98. Download the latest mapr-ecosystem RPM for your operating system from the following locations: