Security Vulnerability Update - 03-06-2016

Blog Post created by wade on Mar 7, 2016

Security Vulnerability Update


A potential security vulnerability exists in a third-party library called Apache Commons Collections. This library is used in products distributed and supported by MapR, including MapR releases of HBase.

Why is this important to me?

Unprivileged users can attack an HBase installation by capturing valid RPC payloads, rewrite them to embed an exploit, and replay them to trigger a remote command execution with the privileges of the account under which the HBase RegionServer daemon is running. See also HBASE-14799 and this article.

Severity: Critical

Products Affected:

    Hbase 0.94.24
    Hbase 0.98





This vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.


Immediate Action Required:


The 1602 ecosystem release (released on 3.1.2016) from MapR contains patches for this vulnerability for HBase 94 and HBase 98. Download the latest mapr-ecosystem RPM for your operating system from the following locations:

    • HBase 0.94:



    • HBase 0.98:



For any questions or concerns regarding this notificiation please contact MapR Support.


MapR Support