Vulnerability in the Commons Collections Library Used by HBase
This section describes a security issue in the Common Collections Library that HBase uses.
|Vulnerability||A potential security vulnerability exists in a third-party library called Apache Commons Collections. This library is used in products distributed and supported by MapR, including MapR releases of HBase.|
|Details||Unprivileged users can attack an HBase installation by capturing valid RPC payloads, rewrite them to embed an exploit, and replay them to trigger a remote command execution with the privileges of the account under which the HBase RegionServer daemon is running. See also HBASE-14799 and this article.|
|Products Affected||HBase 0.94.24, which is supported on MapR Versions 4.0.1 and 3.x. This
vulnerability also affects HBase 0.98.x.
The commons-collections library is also used by Hadoop, and the same issue is fixed in MapR Version 5.1 via a backport of HADOOP-12577 to Hadoop 2.7. However, this problem is much less severe in Hadoop because Hadoop itself does not use any of the unsafe classes.
|Impact||This vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.|
|Bug Tracking||MapR bug 22346; see also HBASE-14799|
|Immediate Action Required||Customers should download the MapR 1602 version of HBase from package.mapr.com/releases or request it from firstname.lastname@example.org|
|Patch||The 1602 ecosystem release from MapR contains patches for this vulnerability
for HBase 94 and HBase 98. Download the latest