As a follow up to this CVE, I wanted to share the process for reporting and responding to security issues:
https://www.apache.org/security/ https://www.apache.org/security/committers.html Here’s the short version: - Report the vulnerability privately (secur...@apache.org | priv...@geode.apache.org) - Fix the vulnerability - Release a new version(s) with the fix - Disclose the vulnerability Secondly, I think it would be valuable to get the community’s perspective on the kinds of security threats that a Geode deployment may encounter. Here are a few questions to spark the conversation: - When is a bug a security bug? - When does a bug require a CVE and disclosure? - How do we know how severe a security issue is? - How soon do we need to respond to a security issue? Anthony > On Apr 4, 2017, at 7:31 AM, Anthony Baker <aba...@apache.org> wrote: > > CVE-2017-5649: Apache Geode information disclosure vulnerability > > Severity: Medium > Base score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L) > > Vendor: > The Apache Software Foundation > > Versions Affected: > Geode 1.1.0 > > Description: > When a cluster has enabled security by setting the security-manager > property, a user should have DATA:READ permission to view data stored > in the cluster. However, if an authenticated user has CLUSTER:READ > but not DATA:READ permission they can access the data > browser page in Pulse. From there the user could execute an OQL query > that exposes data stored in the cluster. > > Mitigation: > 1.1.0 users should upgrade to 1.1.1 > > Credit: > This issue was discovered by Jinmei Liao. > > References: > https://www.apache.org/security/
