Bradley Parker

Name of the Vulnerable Software and Affected Versions: Apache HBase versions 2.0.0 through 2.0.4 Apache HBase versions 2.1.0 through 2.1.3 Description: The issue concerns incorrect authorization in the HBase REST server. Requests were executed with the permissions of the REST server, not the end-user. This occurs when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server uses SPNEGO authentication. The issue is limited to the HBase REST server. Recommendations: For Apache HBase versions 2.0.0 through 2.0.4, consider disabling the HBase REST server until a patch is available. For Apache HBase versions 2.1.0 through 2.1.3, consider disabling the HBase REST server until a patch is available. As a temporary workaround, restrict access to the HBase REST server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Derby versions 10.3.1.4 through 10.14.1.0 **Description** The issue is related to insufficient input validation in the Apache Derby database management system. This can be exploited by a remote attacker to impact the integrity of protected information. A specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. The attack's success depends on whether the Derby Network Server is running with a Java Security Manager policy file. If such a policy file is in use, it must permit the database location to be read for the attack to be successful. The default policy file distributed with the affected releases has a permissive policy, allowing the attack to work. **Recommendations** For Apache Derby versions 10.3.1.4 through 10.14.1.0, consider implementing a Java Security Manager policy file that restricts database locations to prevent unauthorized access. If a policy file is already in use, review and update it to ensure it does not permit reading of arbitrary database locations. As a temporary workaround, consider restricting access to the Derby Network Server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Xerces2 Java Parser versions prior to 2.12.0 **Description** The issue is related to resource management errors in the XML file analyzer. It can be exploited by a remote attacker using a specially crafted XML message, leading to a denial of service due to CPU consumption. This is achieved by triggering hash table collisions in an XML service. **Recommendations** For versions prior to 2.12.0, update to version 2.12.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the XML service to minimize the risk of exploitation. Avoid using the vulnerable parser until the issue is resolved.