Apache HBase RPC身份验证安全绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1166522 漏洞类型 授权问题
发布时间 2013-08-23 更新时间 2013-08-23
CVE编号 CVE-2013-2193 CNNVD-ID CNNVD-201308-417
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/61981
https://cxsecurity.com/issue/WLB-2013080198
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201308-417
|漏洞详情
ApacheHBase是美国阿帕奇(Apache)软件基金会的一套构建在ApacheHadoop和ApacheZooKeeper上的面向列的分布式数据库。该数据库适用于非结构化数据存储。ApacheHBase0.92.3之前的0.92.x版本和0.94.9之前的0.94.x版本中存在安全漏洞。当使用功能时,攻击者可利用该漏洞实施中间人攻击,禁用双向认证,获取敏感信息。
|漏洞EXP
CVE-2013-2193: Apache HBase Man in the Middle Vulnerability

Severity: Severe

Vendor: The Apache Software Foundation

Versions Affected:
All versions of HBase 0.92.x prior to 0.92.3.
All versions of HBase 0.94.x prior to 0.94.9.

Users affected: Users who have enabled HBase's Kerberos security features
and who run HBase co-located on a cluster with Hadoop MapReduce or Hadoop
YARN.

Impact: RPC traffic from clients to Region Servers may be intercepted by a
malicious user with access to run tasks or containers on a cluster.

Description:
The Apache HBase RPC protocol is intended to provide bidirectional
authentication between clients and servers. However, a malicious server or
network attacker can unilaterally disable these authentication checks. This
allows for potential reduction in the configured quality of protection of
the RPC traffic, and privilege escalation if authentication credentials are
passed over RPC.

Mitigation:
Users of HBase 0.92.x versions prior to 0.92.3 should immediately upgrade
to 0.92.3 when it becomes available, or to 0.94.9 or later.
Users of HBase 0.94.x versions prior to 0.94.9 should immediately upgrade
to 0.94.9 or later.

Credit: This issue was discovered by Kyle Leckie of Microsoft and Aaron T.
Myers of Cloudera.
|受影响的产品
Apache HBase 0.94.8 Apache HBase 0.92.2 Apache HBase 0.94 Apache HBase 0.92
|参考资料

来源:OSVDB
名称:96615
链接:http://osvdb.org/96615
来源:FULLDISC
名称:20130823CVE-2013-2193:ApacheHBaseManintheMiddleVulnerability
链接:http://seclists.org/fulldisclosure/2013/Aug/250
来源:BID
名称:61981
链接:http://www.securityfocus.com/bid/61981