Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw@mail.gmail.com>
Date: Fri, 29 Sep 2017 10:33:38 -0700
From: Anthony Baker <abaker@...che.org>
To: user@...de.apache.org, dev@...de.apache.org, announce@...che.org, 
	security@...che.org, oss-security@...ts.openwall.com
Cc: Jared Stewart <jstewart@...otal.io>
Subject: [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability

CVE-2017-9794 Apache Geode gfsh query vulnerability

Severity: Low
CVSS Base Score 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vendor: The Apache Software Foundation

Versions Affected:
Apache Geode 1.0.0 through 1.2.0

Description:
When a cluster is operating in secure mode, a user with read
privileges for specific data  regions can use the gfsh command line
utility to execute queries.  The query results may contain data from
another user’s concurrently executing gfsh query, potentially
revealing data that the user is not authorized to view.

Mitigation:
Users of the affected versions should upgrade to Apache Geode 1.2.1 or later.

Credit:
This issue was reported responsibly to the Apache Geode PMC by Jared
Stewart from Pivotal.

References:
[1] https://issues.apache.org/jira/browse/GEODE-3217
[2] https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities

---
The Geode PMC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.