You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Anthony Baker <ab...@apache.org> on 2017/04/04 14:31:52 UTC
[CVE-2017-5649] Apache Geode information disclosure vulnerability
CVE-2017-5649: Apache Geode information disclosure vulnerability
Severity: Medium
Base score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)
Vendor:
The Apache Software Foundation
Versions Affected:
Geode 1.1.0
Description:
When a cluster has enabled security by setting the security-manager
property, a user should have DATA:READ permission to view data stored
in the cluster. However, if an authenticated user has CLUSTER:READ
but not DATA:READ permission they can access the data
browser page in Pulse. From there the user could execute an OQL query
that exposes data stored in the cluster.
Mitigation:
1.1.0 users should upgrade to 1.1.1
Credit:
This issue was discovered by Jinmei Liao.
References:
https://www.apache.org/security/
Re: [DISCUSS] security threats (was Re: [CVE-2017-5649] Apache Geode information disclosure vulnerability)
Posted by William Markito Oliveira <wi...@gmail.com>.
Looks like a great wiki page to me. ;)
Cool summary Anthony!
Sent from my iPhone
> On Apr 5, 2017, at 11:49 AM, Anthony Baker <ab...@pivotal.io> wrote:
>
> As a follow up to this CVE, I wanted to share the process for reporting and responding to security issues:
>
> https://www.apache.org/security/
> https://www.apache.org/security/committers.html
>
> Here’s the short version:
>
> - Report the vulnerability privately (security@apache.org | private@geode.apache.org)
> - Fix the vulnerability
> - Release a new version(s) with the fix
> - Disclose the vulnerability
>
> Secondly, I think it would be valuable to get the community’s perspective on the kinds of security threats that a Geode deployment may encounter. Here are a few questions to spark the conversation:
>
> - When is a bug a security bug?
> - When does a bug require a CVE and disclosure?
> - How do we know how severe a security issue is?
> - How soon do we need to respond to a security issue?
>
> Anthony
>
>> On Apr 4, 2017, at 7:31 AM, Anthony Baker <ab...@apache.org> wrote:
>>
>> CVE-2017-5649: Apache Geode information disclosure vulnerability
>>
>> Severity: Medium
>> Base score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> Geode 1.1.0
>>
>> Description:
>> When a cluster has enabled security by setting the security-manager
>> property, a user should have DATA:READ permission to view data stored
>> in the cluster. However, if an authenticated user has CLUSTER:READ
>> but not DATA:READ permission they can access the data
>> browser page in Pulse. From there the user could execute an OQL query
>> that exposes data stored in the cluster.
>>
>> Mitigation:
>> 1.1.0 users should upgrade to 1.1.1
>>
>> Credit:
>> This issue was discovered by Jinmei Liao.
>>
>> References:
>> https://www.apache.org/security/
>
[DISCUSS] security threats (was Re: [CVE-2017-5649] Apache Geode
information disclosure vulnerability)
Posted by Anthony Baker <ab...@pivotal.io>.
As a follow up to this CVE, I wanted to share the process for reporting and responding to security issues:
https://www.apache.org/security/
https://www.apache.org/security/committers.html
Here’s the short version:
- Report the vulnerability privately (security@apache.org | private@geode.apache.org)
- Fix the vulnerability
- Release a new version(s) with the fix
- Disclose the vulnerability
Secondly, I think it would be valuable to get the community’s perspective on the kinds of security threats that a Geode deployment may encounter. Here are a few questions to spark the conversation:
- When is a bug a security bug?
- When does a bug require a CVE and disclosure?
- How do we know how severe a security issue is?
- How soon do we need to respond to a security issue?
Anthony
> On Apr 4, 2017, at 7:31 AM, Anthony Baker <ab...@apache.org> wrote:
>
> CVE-2017-5649: Apache Geode information disclosure vulnerability
>
> Severity: Medium
> Base score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Geode 1.1.0
>
> Description:
> When a cluster has enabled security by setting the security-manager
> property, a user should have DATA:READ permission to view data stored
> in the cluster. However, if an authenticated user has CLUSTER:READ
> but not DATA:READ permission they can access the data
> browser page in Pulse. From there the user could execute an OQL query
> that exposes data stored in the cluster.
>
> Mitigation:
> 1.1.0 users should upgrade to 1.1.1
>
> Credit:
> This issue was discovered by Jinmei Liao.
>
> References:
> https://www.apache.org/security/