PT-2019-11193 · Apache · Apache Hbase
Bradley Parker
·
Published
2019-03-28
·
Updated
2020-08-24
·
CVE-2019-0212
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Apache HBase versions 2.0.0 through 2.0.4
Apache HBase versions 2.1.0 through 2.1.3
Description:
The issue concerns incorrect authorization in the HBase REST server. Requests were executed with the permissions of the REST server, not the end-user. This occurs when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server uses SPNEGO authentication. The issue is limited to the HBase REST server.
Recommendations:
For Apache HBase versions 2.0.0 through 2.0.4, consider disabling the HBase REST server until a patch is available.
For Apache HBase versions 2.1.0 through 2.1.3, consider disabling the HBase REST server until a patch is available.
As a temporary workaround, restrict access to the HBase REST server to minimize the risk of exploitation.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Hbase