www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Baker <aba...@apache.org>
Subject [SECURITY] CVE-2017-9795 Apache Geode OQL method invocation vulnerability
Date Tue, 09 Jan 2018 22:02:13 GMT
CVE-2017-9795 Apache Geode OQL method invocation vulnerability

Severity:  Important

Vendor: The Apache Software Foundation

Versions Affected:  Apache Geode 1.0.0 through 1.2.1

A malicious user with read access to specific regions within a Geode
cluster may execute OQL queries that allow read and write access to
objects within unauthorized regions.  In addition a user could invoke
methods that allow remote code execution.

Users of the affected versions should upgrade to Apache Geode 1.3.0 or later.

This issue was reported responsibly to the Apache Geode Security Team
by Dan Smith from Pivotal.

[1] https://issues.apache.org/jira/browse/GEODE-3247
[2] https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities

The Geode PMC

View raw message