oss-sec mailing list archives
[SECURITY] CVE-2017-9797 Apache Geode client/server authentication vulnerability
From: Anthony Baker <abaker () apache org>
Date: Fri, 29 Sep 2017 10:35:55 -0700
CVE-2017-9797 Apache Geode client/server authentication vulnerability Severity: Medium CVSS Base Score 6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H) Vendor: The Apache Software Foundation Versions Affected: Apache Geode 1.0.0 through 1.2.0 Description: When a cluster is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata messages. These metadata operations could leak information about application data types. In addition, an attacker could perform a denial of service attack on the cluster. Mitigation: Users of the affected versions should upgrade to Apache Geode 1.2.1 or later. Credit: This issue was reported responsibly to the Apache Geode Security Team by Dan Smith from Pivotal. References: [1] https://issues.apache.org/jira/browse/GEODE-3249 [2] https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities --- The Geode PMC
Current thread:
- [SECURITY] CVE-2017-9797 Apache Geode client/server authentication vulnerability Anthony Baker (Sep 29)