[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-announce
Subject: [CVE-2020-1952] Apache IoTDB (incubating) Remote Code execution vulnerability
From: "Dawei Liu" <liudw () apache ! org>
Date: 2020-04-27 2:11:18
Message-ID: 44116ad7.85e5.171b9672cd1.Coremail.liudw () apache ! org
[Download RAW message or body]
[Attachment #2 (text/plain)]
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
IoTDB 0.9.0 to 0.9.1
IoTDB 0.8.0 to 0.8.2
Description:
When starting IoTDB, the JMX port 31999 is exposed with no certification.
Then, clients could execute code remotely.
Mitigation: 0.8.x, 0.9.0, and 0.9.1 users should upgrade to 0.9.2.
Example: An Attacker can execute code remotely in the IoTDB server through JMX port.
Credit: This issue was discovered by WuXiong of QI'ANXIN YunYing Lab.
Regards,
The Apache IoTDB team
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<style>
font{
line-height: 1.6;
}
ul,ol{
padding-left: 20px;
list-style-position: inside;
}
</style>
<div style="font-family:Helvetica,Helvetica,微软雅黑, 宋体; line-height:1.6;">
<div></div><div>
<div><div>Severity: Important</div><div><br></div><div>Vendor: The Apache \
Software Foundation</div><div><br></div><div>Versions \
Affected:</div><div>IoTDB 0.9.0 to 0.9.1</div><div>IoTDB 0.8.0 to \
0.8.2</div><div><br></div><div>Description:</div><div>When starting IoTDB, the JMX \
port 31999 is exposed with no certification.</div><div>Then, clients could execute \
code remotely. </div><div><br></div><div>Mitigation: 0.8.x, 0.9.0, and 0.9.1 \
users should upgrade to 0.9.2.</div><div><br></div><div>Example: An Attacker can \
execute code remotely in the IoTDB server through JMX \
port.</div><div><br></div><div>Credit: This issue was discovered by WuXiong \
of QI'ANXIN YunYing Lab.</div></div><div><br></div><div><br></div><div><span \
style="caret-color: rgb(51, 51, 51); color: rgb(51, 51, 51); font-family: \
-apple-system, system-ui, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira \
Sans", "Droid Sans", "Helvetica Neue", sans-serif; orphans: \
2; widows: 2; background-color: rgb(255, 255, 255);">Regards,</span><br \
style="caret-color: rgb(51, 51, 51); color: rgb(51, 51, 51); font-family: \
-apple-system, system-ui, "Segoe UI", Roboto, Oxygen, Ubuntu, "Fira \
Sans", "Droid Sans", "Helvetica Neue", sans-serif; orphans: \
2; widows: 2; background-color: rgb(255, 255, 255);"><span style="caret-color: \
rgb(51, 51, 51); color: rgb(51, 51, 51); font-family: -apple-system, system-ui, \
"Segoe UI", Roboto, Oxygen, Ubuntu, "Fira Sans", "Droid \
Sans", "Helvetica Neue", sans-serif; orphans: 2; widows: 2; \
background-color: rgb(255, 255, 255);">The Apache IoTDB \
team</span></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div>
</div><style>
font{
line-height: 1.6;
}
</style><!--�-->
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic