You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@aurora.apache.org by Bill Farner <wf...@apache.org> on 2017/11/01 18:54:21 UTC

[CVE-2016-4437] Apache Aurora information disclosure vulnerability

Versions Affected:
Aurora 0.10.0 to 0.18.0

Description:
The affected versions of the scheduler rely on a version of Apache Shiro
which is vulnerable to CVE-2016-4437.  Under certain conditions, the
vulnerability allows remote attackers to execute arbitrary code or bypass
intended access restrictions via an unspecified request parameter.

Mitigation:
0.18.0 users should upgrade to 0.18.1
0.10.0 - 0.17.0 users should upgrade to 0.18.1 or apply this patch
https://git-wip-us.apache.org/repos/asf?p=aurora.git;a=commit;h=ec640117
Alternatively, INI configuration mitigations outlined in CVE-2016-4437
may be applied.

Credit:
This issue was discovered by Greg Harris from the Fitbit Security team.