Date: Thu, 05 Oct 2017 08:54:30 +0000 (UTC) From: Andrey Bazhenov <support@...dgain.freshdesk.com> To: oss-security@...ts.openwall.com Subject: [CVE-2017-14614] GridGain Visor GUI Console - File System Path Traversal Severity: Important Vendor: GridGain Systems Versions Affected: * GridGain 8.1.4 and earlier * GridGain 1.9.6 and earlier * GridGain 1.8.11 and earlier * GridGain 1.7.15 and earlier Impact: The vulnerability impacts GridGain Visor GUI Management Console users. Visor allows open log files of remote cluster nodes and observe them locally. To get the logs a user needs to provide a path to the files. Visor does not sanitize the path provided that might result in an unauthorized access to sensitive files. Description: Visor GUI Console uses a user-supplied input to construct a pathname to a remote directory with log files. The application does not sanitize this path and malicious application users can get an access to restricted or sensitive files stored on a server’s file system. Mitigation: Start cluster nodes under a system user that has restricted access to the file system. In addition, to make the cluster more secure consider using GridGain’s Security module setting up basic authentication and authorization parameters. Upgrade to the versions below to enable the path sanitization by default: * GridGain 8.1.5 or later * GridGain 1.9.7 or later * GridGain 1.8.12 or later * GridGain 1.7.16 or later References: * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14614
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ