You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@iotdb.apache.org by Dawei Liu <li...@apache.org> on 2020/04/27 02:11:18 UTC
[CVE-2020-1952] Apache IoTDB (incubating) Remote Code execution
vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
IoTDB 0.9.0 to 0.9.1
IoTDB 0.8.0 to 0.8.2
Description:
When starting IoTDB, the JMX port 31999 is exposed with no certification.
Then, clients could execute code remotely.
Mitigation: 0.8.x, 0.9.0, and 0.9.1 users should upgrade to 0.9.2.
Example: An Attacker can execute code remotely in the IoTDB server through JMX port.
Credit: This issue was discovered by WuXiong of QI’ANXIN YunYing Lab.
Regards,
The Apache IoTDB team