You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Anthony Baker <ab...@apache.org> on 2017/04/04 14:31:52 UTC

[CVE-2017-5649] Apache Geode information disclosure vulnerability

CVE-2017-5649: Apache Geode information disclosure vulnerability

Severity:  Medium
Base score:  5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)

Vendor:
The Apache Software Foundation

Versions Affected:
Geode 1.1.0

Description:
When a cluster has enabled security by setting the security-manager
property, a user should have DATA:READ permission to view data stored
in the cluster.  However, if an authenticated user has CLUSTER:READ
but not DATA:READ permission they can access the data
browser page in Pulse.  From there the user could execute an OQL query
that exposes data stored in the cluster.

Mitigation:
1.1.0 users should upgrade to 1.1.1

Credit:
This issue was discovered by Jinmei Liao.

References:
https://www.apache.org/security/

Re: [DISCUSS] security threats (was Re: [CVE-2017-5649] Apache Geode information disclosure vulnerability)

Posted by William Markito Oliveira <wi...@gmail.com>.

Looks like a great wiki page to me. ;)

Cool summary Anthony! 

Sent from my iPhone

> On Apr 5, 2017, at 11:49 AM, Anthony Baker <ab...@pivotal.io> wrote:
> 
> As a follow up to this CVE, I wanted to share the process for reporting and responding to security issues:
> 
> https://www.apache.org/security/
> https://www.apache.org/security/committers.html
> 
> Here’s the short version:
> 
> - Report the vulnerability privately (security@apache.org | private@geode.apache.org)
> - Fix the vulnerability
> - Release a new version(s) with the fix
> - Disclose the vulnerability
> 
> Secondly, I think it would be valuable to get the community’s perspective on the kinds of security threats that a Geode deployment may encounter.  Here are a few questions to spark the conversation:
> 
> - When is a bug a security bug?
> - When does a bug require a CVE and disclosure?
> - How do we know how severe a security issue is?
> - How soon do we need to respond to a security issue?
> 
> Anthony
> 
>> On Apr 4, 2017, at 7:31 AM, Anthony Baker <ab...@apache.org> wrote:
>> 
>> CVE-2017-5649: Apache Geode information disclosure vulnerability
>> 
>> Severity:  Medium
>> Base score:  5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)
>> 
>> Vendor:
>> The Apache Software Foundation
>> 
>> Versions Affected:
>> Geode 1.1.0
>> 
>> Description:
>> When a cluster has enabled security by setting the security-manager
>> property, a user should have DATA:READ permission to view data stored
>> in the cluster.  However, if an authenticated user has CLUSTER:READ
>> but not DATA:READ permission they can access the data
>> browser page in Pulse.  From there the user could execute an OQL query
>> that exposes data stored in the cluster.
>> 
>> Mitigation:
>> 1.1.0 users should upgrade to 1.1.1
>> 
>> Credit:
>> This issue was discovered by Jinmei Liao.
>> 
>> References:
>> https://www.apache.org/security/
>

[DISCUSS] security threats (was Re: [CVE-2017-5649] Apache Geode information disclosure vulnerability)

Posted by Anthony Baker <ab...@pivotal.io>.

As a follow up to this CVE, I wanted to share the process for reporting and responding to security issues:

https://www.apache.org/security/
https://www.apache.org/security/committers.html

Here’s the short version:

- Report the vulnerability privately (security@apache.org | private@geode.apache.org)
- Fix the vulnerability
- Release a new version(s) with the fix
- Disclose the vulnerability

Secondly, I think it would be valuable to get the community’s perspective on the kinds of security threats that a Geode deployment may encounter.  Here are a few questions to spark the conversation:

- When is a bug a security bug?
- When does a bug require a CVE and disclosure?
- How do we know how severe a security issue is?
- How soon do we need to respond to a security issue?

Anthony

> On Apr 4, 2017, at 7:31 AM, Anthony Baker <ab...@apache.org> wrote:
> 
> CVE-2017-5649: Apache Geode information disclosure vulnerability
> 
> Severity:  Medium
> Base score:  5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)
> 
> Vendor:
> The Apache Software Foundation
> 
> Versions Affected:
> Geode 1.1.0
> 
> Description:
> When a cluster has enabled security by setting the security-manager
> property, a user should have DATA:READ permission to view data stored
> in the cluster.  However, if an authenticated user has CLUSTER:READ
> but not DATA:READ permission they can access the data
> browser page in Pulse.  From there the user could execute an OQL query
> that exposes data stored in the cluster.
> 
> Mitigation:
> 1.1.0 users should upgrade to 1.1.1
> 
> Credit:
> This issue was discovered by Jinmei Liao.
> 
> References:
> https://www.apache.org/security/