Race condition in HBase - CVE-2018-8025
Published: July 5, 2018 / Updated: July 6, 2018
Vulnerability identifier: #VU13597
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-8025
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
HBase
HBase
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication on the target system.
The weakness exists in the Thrift 1 API Server component of Apache HBase due to improper synchronization of a variable that is used across multiple threads when executing over HTTP. A remote attacker can trigger race condition during session authentication operations, bypass authentication restrictions and improperly access the system.
The weakness exists in the Thrift 1 API Server component of Apache HBase due to improper synchronization of a variable that is used across multiple threads when executing over HTTP. A remote attacker can trigger race condition during session authentication operations, bypass authentication restrictions and improperly access the system.
How to mitigate CVE-2018-8025
The vulnerability is fixed in the versions: 3.0.0, 2.1.0, 1.5.0, 1.2.7, 1.3.3, 1.4.5, 1.2.6.1, 1.3.2.1, 2.0.0.1.