Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 4 Apr 2017 07:31:52 -0700
From: Anthony Baker <abaker@...che.org>
To: user@...de.apache.org, dev@...de.apache.org, announce@...che.org, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: [CVE-2017-5649] Apache Geode information disclosure vulnerability

CVE-2017-5649: Apache Geode information disclosure vulnerability

Severity:  Medium
Base score:  5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)

Vendor:
The Apache Software Foundation

Versions Affected:
Geode 1.1.0

Description:
When a cluster has enabled security by setting the security-manager
property, a user should have DATA:READ permission to view data stored
in the cluster.  However, if an authenticated user has CLUSTER:READ
but not DATA:READ permission they can access the data
browser page in Pulse.  From there the user could execute an OQL query
that exposes data stored in the cluster.

Mitigation:
1.1.0 users should upgrade to 1.1.1

Credit:
This issue was discovered by Jinmei Liao.

References:
https://www.apache.org/security/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ