Any Cloudera release for that as well? On Saturday, August 24, 2013, Aaron T. Myers wrote:
> Hello, > > Please see below for the official announcement of a serious security > vulnerability which has been discovered and subsequently fixed in Apache > HBase releases. > > Best, > Aaron > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2013-2193: Apache HBase Man in the Middle Vulnerability > > Severity: Severe > > Vendor: The Apache Software Foundation > > Versions Affected: > All versions of HBase 0.92.x prior to 0.92.3. > All versions of HBase 0.94.x prior to 0.94.9. > > Users affected: Users who have enabled HBase's Kerberos security features > and who run HBase co-located on a cluster with Hadoop MapReduce or Hadoop > YARN. > > Impact: RPC traffic from clients to Region Servers may be intercepted by a > malicious user with access to run tasks or containers on a cluster. > > Description: > The Apache HBase RPC protocol is intended to provide bidirectional > authentication between clients and servers. However, a malicious server or > network attacker can unilaterally disable these authentication checks. This > allows for potential reduction in the configured quality of protection of > the RPC traffic, and privilege escalation if authentication credentials are > passed over RPC. > > Mitigation: > Users of HBase 0.92.x versions prior to 0.92.3 should immediately upgrade > to 0.92.3 when it becomes available, or to 0.94.9 or later. > Users of HBase 0.94.x versions prior to 0.94.9 should immediately upgrade > to 0.94.9 or later. > > Credit: This issue was discovered by Kyle Leckie of Microsoft and Aaron T. > Myers of Cloudera. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEcBAEBAgAGBQJSF85nAAoJECEaGfB4kTjfDg0IAIDG+1DJJCKCS74WzB4kJzCg > 9eTqSiucDl/fKmx1lMEem/yU2tpqWU7TfRY3p1d2PC8akyvp0JCLQliYsNOokRRT > Hz3gvSqSvTT4zWkeFgQ6qNe+amJeiBDrU1m8IbLvrlZqU8tVe3AT+fj13bv1RdaK > Z4o8QJonmdDIZqU9i/ss1eXTUyIlPlHilzcprl80cN5VoBhtgeh7vdGQYnUBn20E > 6X0B8ffQ2UoGBJC4JJRmESZIwTnYt/b7453rD82mEUtqIxAHcVr6dfHd07zecp8G > Ae4zOuNumBb13SfCib7+da1i02ujR2WKx7M6ju+5E5VLQYiLKSKse+TDS6ruZDw= > =sqcf > -----END PGP SIGNATURE----- >
