Date: Thu, 19 Jul 2018 10:04:16 -0700 From: Denis Magda <dmagda@...che.org> To: announce@...che.org, security@...ite.apache.org, Apache Security Team <security@...che.org>, "Rai, Harendra" <harendra.rai@....com>, oss-security@...ts.openwall.com Cc: user@...ite.apache.org, dev <dev@...ite.apache.org> Subject: [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons Severity: Important Vendor: The Apache Software Foundation Versions Affected: * Apache Ignite 1.0.0-RC3 to 2.5 Impact: An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST or Spring Data Description: Apache Ignite utilizes Spring Data Common library for some of its components. The vulnerability affects Apache Ignite users who us Spring Data REST for access an Ignite cluster via HTTP and Spring Data. Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. Mitigation: * Upgrade to Apache Ignite 2.6 or later that include Spring Data Commons versions not vulnerable to the disclosed issue. Credit: * Harendra Rai of NCR Corporation discovered the impact of the existing vulnerability on Apache Ignite. References: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1273 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1274
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.