Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 05 Oct 2017 08:54:30 +0000 (UTC)
From: Andrey Bazhenov <support@...dgain.freshdesk.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2017-14614] GridGain Visor GUI Console - File System Path
 Traversal

Severity: Important 
   
 Vendor: GridGain Systems 
   
 Versions Affected: 
   
 * GridGain 8.1.4 and earlier 
 * GridGain 1.9.6 and earlier 
 * GridGain 1.8.11 and earlier 
 * GridGain 1.7.15 and earlier 
   
 Impact: 
   The vulnerability impacts GridGain Visor GUI Management Console users. Visor allows open log files of remote cluster nodes and observe them locally. To get the logs a user needs to provide a path to the files. Visor does not sanitize the path provided that might result in an unauthorized access to sensitive files. 
   
 Description: 
   Visor GUI Console uses a user-supplied input to construct a pathname to a remote directory with log files. The application does not sanitize this path and malicious application users can get an access to restricted or sensitive files stored on a server’s file system. 
   
 Mitigation: 
   
 Start cluster nodes under a system user that has restricted access to the file system. 
 In addition, to make the cluster more secure consider using GridGain’s Security module setting up basic authentication and authorization parameters.  
   
 Upgrade to the versions below to enable the path sanitization by default: 
 * GridGain 8.1.5 or later 
 * GridGain 1.9.7 or later 
 * GridGain 1.8.12 or later 
 * GridGain 1.7.16 or later 
   
 References: 
   
 * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14614



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ