[
https://issues.apache.org/jira/browse/HBASE-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15001644#comment-15001644
]
Hadoop QA commented on HBASE-14799:
-----------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12771904/HBASE-14799-0.94.patch
against 0.94 branch at commit 1f62a487284b57fca505bc1b3d04c1f86b2e7d76.
ATTACHMENT ID: 12771904
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 4 new
or modified tests.
{color:green}+1 hadoop versions{color}. The patch compiles with all
supported hadoop versions (2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.0 2.6.1 2.7.0
2.7.1)
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 protoc{color}. The applied patch does not increase the
total number of protoc compiler warnings.
{color:red}-1 javadoc{color}. The javadoc tool appears to have generated
117 warning messages.
{color:green}+1 checkstyle{color}. The applied patch does not increase the
total number of checkstyle errors
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:red}-1 site{color}. The patch appears to cause mvn post-site goal
to fail.
{color:red}-1 core tests{color}. The patch failed these unit tests:
org.apache.hadoop.hbase.io.hfile.TestHFileReaderV1
org.apache.hadoop.hbase.TestClassFinder
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/16497//testReport/
Release Findbugs (version 2.0.3) warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/16497//artifact/patchprocess/newFindbugsWarnings.html
Checkstyle Errors:
https://builds.apache.org/job/PreCommit-HBASE-Build/16497//artifact/patchprocess/checkstyle-aggregate.html
Javadoc warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/16497//artifact/patchprocess/patchJavadocWarnings.txt
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/16497//console
This message is automatically generated.
> Commons-collections object deserialization remote command execution
> vulnerability
> ----------------------------------------------------------------------------------
>
> Key: HBASE-14799
> URL: https://issues.apache.org/jira/browse/HBASE-14799
> Project: HBase
> Issue Type: Bug
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Priority: Critical
> Fix For: 0.94.28, 0.98.17
>
> Attachments: HBASE-14799-0.94.patch, HBASE-14799-0.98.patch
>
>
> Read:
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and
> process Java object serialization data, then you probably have an exploitable
> remote command execution vulnerability.
> 0.94 and earlier HBase releases are vulnerable because we might read in and
> rehydrate serialized Java objects out of RPC packet data in
> HbaseObjectWritable using ObjectInputStream#readObject (see
> https://hbase.apache.org/0.94/xref/org/apache/hadoop/hbase/io/HbaseObjectWritable.html#714)
> and we have commons-collections on the classpath on the server.
> 0.98 also carries some limited exposure to this problem through inclusion of
> backwards compatible deserialization code in
> HbaseObjectWritableFor96Migration. This is used by the 0.94-to-0.98 migration
> utility, and by the AccessController when reading permissions from the ACL
> table serialized in legacy format by 0.94. Unprivileged users cannot run the
> tool nor access the ACL table.
> Unprivileged users can however attack a 0.94 installation. An attacker might
> be able to use the method discussed on that blog post to capture valid HBase
> RPC payloads for 0.94 and prior versions, rewrite them to embed an exploit,
> and replay them to trigger a remote command execution with the privileges of
> the account under which the HBase RegionServer daemon is running.
> We need to make a patch release of 0.94 that changes HbaseObjectWritable to
> disallow processing of random Java object serializations. This will be a
> compatibility break that might affect old style coprocessors, which quite
> possibly may rely on this catch-all in HbaseObjectWritable for custom object
> (de)serialization. We can introduce a new configuration setting,
> "hbase.allow.legacy.object.serialization", defaulting to false.
> To be thorough, we can also use the new configuration setting
> "hbase.allow.legacy.object.serialization" (defaulting to false) in 0.98 to
> prevent the AccessController from falling back to the vulnerable legacy code.
> This turns out to not affect the ability to migrate permissions because
> TablePermission implements Writable, which is safe, not Serializable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
