[CVE-2017-14614] GridGain Visor GUI Console - File System Path Traversal

[Andrey Bazhenov <support () gridgain freshdesk com>]

Severity: Important 
   
 Vendor: GridGain Systems 
   
 Versions Affected: 
   
 * GridGain 8.1.4 and earlier 
 * GridGain 1.9.6 and earlier 
 * GridGain 1.8.11 and earlier 
 * GridGain 1.7.15 and earlier 
   
 Impact: 
   The vulnerability impacts GridGain Visor GUI Management Console users. Visor allows open log files of remote cluster 
nodes and observe them locally. To get the logs a user needs to provide a path to the files. Visor does not sanitize 
the path provided that might result in an unauthorized access to sensitive files. 
   
 Description: 
   Visor GUI Console uses a user-supplied input to construct a pathname to a remote directory with log files. The 
application does not sanitize this path and malicious application users can get an access to restricted or sensitive 
files stored on a server’s file system. 
   
 Mitigation: 
   
 Start cluster nodes under a system user that has restricted access to the file system. 
 In addition, to make the cluster more secure consider using GridGain’s Security module setting up basic authentication 
and authorization parameters.  
   
 Upgrade to the versions below to enable the path sanitization by default: 
 * GridGain 8.1.5 or later 
 * GridGain 1.9.7 or later 
 * GridGain 1.8.12 or later 
 * GridGain 1.7.16 or later 
   
 References: 
   
 * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14614