'[CVE-2020-1952] Apache IoTDB (incubating) Remote Code execution vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-announce
Subject:    [CVE-2020-1952] Apache IoTDB (incubating) Remote Code execution vulnerability
From:       "Dawei Liu" <liudw () apache ! org>
Date:       2020-04-27 2:11:18
Message-ID: 44116ad7.85e5.171b9672cd1.Coremail.liudw () apache ! org
[Download RAW message or body]

[Attachment #2 (text/plain)]

Severity: Important


Vendor: The Apache Software Foundation


Versions Affected:
IoTDB  0.9.0 to 0.9.1
IoTDB 0.8.0 to 0.8.2


Description:
When starting IoTDB, the JMX port 31999 is exposed with no certification.
Then, clients could execute code remotely. 


Mitigation: 0.8.x, 0.9.0, and 0.9.1 users should upgrade to 0.9.2.


Example: An Attacker can execute code remotely in the IoTDB server through JMX port.


Credit:  This issue was discovered by WuXiong of QI'ANXIN YunYing Lab.




Regards,
The Apache IoTDB team










[Attachment #3 (text/html)]

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<style>
    font{
        line-height: 1.6;
    }
    ul,ol{
        padding-left: 20px;
        list-style-position: inside;
    }
</style>
<div style="font-family:Helvetica,Helvetica,微软雅黑, 宋体; line-height:1.6;">
    <div></div><div>
    <div><div>Severity: Important</div><div><br></div><div>Vendor: The Apache \
Software Foundation</div><div><br></div><div>Versions \
Affected:</div><div>IoTDB&nbsp;&nbsp;0.9.0 to 0.9.1</div><div>IoTDB 0.8.0 to \
0.8.2</div><div><br></div><div>Description:</div><div>When starting IoTDB, the JMX \
port 31999 is exposed with no certification.</div><div>Then, clients could execute \
code remotely.&nbsp;</div><div><br></div><div>Mitigation: 0.8.x, 0.9.0, and 0.9.1 \
users should upgrade to 0.9.2.</div><div><br></div><div>Example: An Attacker can \
execute code remotely in the IoTDB server through JMX \
port.</div><div><br></div><div>Credit: &nbsp;This issue was discovered by WuXiong \
of QI'ANXIN YunYing Lab.</div></div><div><br></div><div><br></div><div><span \
style="caret-color: rgb(51, 51, 51); color: rgb(51, 51, 51); font-family: \
-apple-system, system-ui, &quot;Segoe UI&quot;, Roboto, Oxygen, Ubuntu, &quot;Fira \
Sans&quot;, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif; orphans: \
2; widows: 2; background-color: rgb(255, 255, 255);">Regards,</span><br \
style="caret-color: rgb(51, 51, 51); color: rgb(51, 51, 51); font-family: \
-apple-system, system-ui, &quot;Segoe UI&quot;, Roboto, Oxygen, Ubuntu, &quot;Fira \
Sans&quot;, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif; orphans: \
2; widows: 2; background-color: rgb(255, 255, 255);"><span style="caret-color: \
rgb(51, 51, 51); color: rgb(51, 51, 51); font-family: -apple-system, system-ui, \
&quot;Segoe UI&quot;, Roboto, Oxygen, Ubuntu, &quot;Fira Sans&quot;, &quot;Droid \
Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif; orphans: 2; widows: 2; \
background-color: rgb(255, 255, 255);">The Apache IoTDB \
team</span></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div>
 </div><style>
        font{
            line-height: 1.6;
        }
    </style><!--�-->
</div>
</body>
</html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic