oss-sec mailing list archives
[CVE-2016-4437] Apache Aurora information disclosure vulnerability
From: Bill Farner <wfarner () apache org>
Date: Wed, 1 Nov 2017 11:56:06 -0700
Versions Affected: Aurora 0.10.0 to 0.18.0 Description: The affected versions of the scheduler rely on a version of Apache Shiro which is vulnerable to CVE-2016-4437. Under certain conditions, the vulnerability allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Mitigation: 0.18.0 users should upgrade to 0.18.1 0.10.0 - 0.17.0 users should upgrade to 0.18.1 or apply this patch https://git-wip-us.apache.org/repos/asf?p=aurora.git;a=commit;h=ec640117 Alternatively, INI configuration mitigations outlined in CVE-2016-4437 may be applied. Credit: This issue was discovered by Greg Harris from the Fitbit Security team.
Current thread:
- [CVE-2016-4437] Apache Aurora information disclosure vulnerability Bill Farner (Nov 01)