cnvd - cnvd-2015-03442

cnvd-2015-03442

Vulnerability from cnvd

Title: Apache HBase存在多个远程漏洞

Description:

Apache HBase是一个面向线上服务的数据库，其原生支持Hadoop的特性，使其成为那些基于Hadoop的扩展性和灵活性进行数据处理的应用显而易见的选择。

HBase 0.98.0 - 0.98.12、1.0.0 - 1.0.1、1.1.0版本存在逻辑错误，可以通过不安全的ACL处理其在ZooKeeper内的协调状态，进而造成拒绝服务、信息泄露等问题。

Severity: 中

Patch Name: Apache HBase多个远程漏洞的补丁

Patch Description:

Apache HBase是一个面向线上服务的数据库，其原生支持Hadoop的特性，使其成为那些基于Hadoop的扩展性和灵活性进行数据处理的应用显而易见的选择。HBase 0.98.0 - 0.98.12、1.0.0 - 1.0.1、1.1.0版本存在逻辑错误，可以通过不安全的ACL处理其在ZooKeeper内的协调状态，进而造成拒绝服务、信息泄露等问题。目前，厂商已经发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://hbase.apache.org/book.html#hbase.rolling.upgrade

Reference: http://www.linuxidc.com/Linux/2015-05/118038.htm

Impacted products

Name
['Apache Group HBase 1.1.0', 'Apache Group HBase 1.0.0', 'Apache Group HBase 1.0.1', 'Apache Group HBase 0.98.0-0.98.12']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-1836"
    }
  },
  "description": "Apache HBase\u662f\u4e00\u4e2a\u9762\u5411\u7ebf\u4e0a\u670d\u52a1\u7684\u6570\u636e\u5e93\uff0c\u5176\u539f\u751f\u652f\u6301Hadoop\u7684\u7279\u6027\uff0c\u4f7f\u5176\u6210\u4e3a\u90a3\u4e9b\u57fa\u4e8eHadoop\u7684\u6269\u5c55\u6027\u548c\u7075\u6d3b\u6027\u8fdb\u884c\u6570\u636e\u5904\u7406\u7684\u5e94\u7528\u663e\u800c\u6613\u89c1\u7684\u9009\u62e9\u3002 \r\n\r\nHBase 0.98.0 - 0.98.12\u30011.0.0 - 1.0.1\u30011.1.0\u7248\u672c\u5b58\u5728\u903b\u8f91\u9519\u8bef\uff0c\u53ef\u4ee5\u901a\u8fc7\u4e0d\u5b89\u5168\u7684ACL\u5904\u7406\u5176\u5728ZooKeeper\u5185\u7684\u534f\u8c03\u72b6\u6001\uff0c\u8fdb\u800c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3001\u4fe1\u606f\u6cc4\u9732\u7b49\u95ee\u9898\u3002",
  "discovererName": "Paul Codding",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a http://hbase.apache.org/book.html#hbase.rolling.upgrade",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-03442",
  "openTime": "2015-05-29",
  "patchDescription": "Apache HBase\u662f\u4e00\u4e2a\u9762\u5411\u7ebf\u4e0a\u670d\u52a1\u7684\u6570\u636e\u5e93\uff0c\u5176\u539f\u751f\u652f\u6301Hadoop\u7684\u7279\u6027\uff0c\u4f7f\u5176\u6210\u4e3a\u90a3\u4e9b\u57fa\u4e8eHadoop\u7684\u6269\u5c55\u6027\u548c\u7075\u6d3b\u6027\u8fdb\u884c\u6570\u636e\u5904\u7406\u7684\u5e94\u7528\u663e\u800c\u6613\u89c1\u7684\u9009\u62e9\u3002HBase 0.98.0 - 0.98.12\u30011.0.0 - 1.0.1\u30011.1.0\u7248\u672c\u5b58\u5728\u903b\u8f91\u9519\u8bef\uff0c\u53ef\u4ee5\u901a\u8fc7\u4e0d\u5b89\u5168\u7684ACL\u5904\u7406\u5176\u5728ZooKeeper\u5185\u7684\u534f\u8c03\u72b6\u6001\uff0c\u8fdb\u800c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3001\u4fe1\u606f\u6cc4\u9732\u7b49\u95ee\u9898\u3002\u76ee\u524d\uff0c\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache HBase\u591a\u4e2a\u8fdc\u7a0b\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Group  HBase 1.1.0",
      "Apache Group  HBase 1.0.0",
      "Apache Group  HBase 1.0.1",
      "Apache Group  HBase 0.98.0-0.98.12"
    ]
  },
  "referenceLink": "http://www.linuxidc.com/Linux/2015-05/118038.htm",
  "serverity": "\u4e2d",
  "submitTime": "2015-05-27",
  "title": "Apache HBase\u5b58\u5728\u591a\u4e2a\u8fdc\u7a0b\u6f0f\u6d1e"
}

CVE-2015-1836 (GCVE-0-2015-1836)

Vulnerability from cvelistv5

Published

2015-12-21 11:00

Modified

2024-08-06 04:54

Severity ?

CWE

Summary

Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic.

References

▼	URL	Tags
	http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E	mailing-list, x_refsource_MLIST
	http://www-01.ibm.com/support/docview.wss?uid=swg21969546	x_refsource_CONFIRM
	https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1034365	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:54:16.347Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[www-announce] 20150525 CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
          },
          {
            "name": "1034365",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034365"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-05-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-03-23T19:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[www-announce] 20150525 CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
        },
        {
          "name": "1034365",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034365"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-1836",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[www-announce] 20150525 CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability",
              "refsource": "MLIST",
              "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg@mail.gmail.com%3E"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
            },
            {
              "name": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html",
              "refsource": "CONFIRM",
              "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
            },
            {
              "name": "1034365",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034365"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-1836",
    "datePublished": "2015-12-21T11:00:00",
    "dateReserved": "2015-02-17T00:00:00",
    "dateUpdated": "2024-08-06T04:54:16.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted