CVE-2019-0212

Name of the Vulnerable Software and Affected Versions: Apache HBase versions 2.0.0 through 2.0.4 Apache HBase versions 2.1.0 through 2.1.3

Description: The issue concerns incorrect authorization in the HBase REST server. Requests were executed with the permissions of the REST server, not the end-user. This occurs when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server uses SPNEGO authentication. The issue is limited to the HBase REST server.

Recommendations: For Apache HBase versions 2.0.0 through 2.0.4, consider disabling the HBase REST server until a patch is available. For Apache HBase versions 2.1.0 through 2.1.3, consider disabling the HBase REST server until a patch is available. As a temporary workaround, restrict access to the HBase REST server to minimize the risk of exploitation.