Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 9 Jan 2018 14:07:14 -0800
From: Anthony Baker <abaker@...che.org>
To: user@...de.apache.org, dev@...de.apache.org, announce@...che.org, 
	asf-security <security@...che.org>, oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2017-12622 Apache Geode gfsh authorization vulnerability

CVE-2017-12622 Apache Geode gfsh authorization vulnerability

Severity:  Important

Vendor: The Apache Software Foundation

Versions Affected:  Apache Geode 1.0.0 through 1.2.1

Description:
When an authenticated user connects to a Geode cluster using the gfsh
tool with HTTP, the user is able to obtain status information and
control cluster members even without CLUSTER:MANAGE privileges.

Mitigation:
Users of the affected versions should upgrade to Apache Geode 1.3.0 or later.

Credit:
This issue was reported responsibly to the Apache Geode Security Team
by Patrick Rhomberg from Pivotal.

References:
[1] https://issues.apache.org/jira/browse/GEODE-3685
[2] https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities

---
The Geode PMC

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.