Looks like a great wiki page to me. ;) Cool summary Anthony!
Sent from my iPhone > On Apr 5, 2017, at 11:49 AM, Anthony Baker <aba...@pivotal.io> wrote: > > As a follow up to this CVE, I wanted to share the process for reporting and > responding to security issues: > > https://www.apache.org/security/ > https://www.apache.org/security/committers.html > > Here’s the short version: > > - Report the vulnerability privately (secur...@apache.org | > priv...@geode.apache.org) > - Fix the vulnerability > - Release a new version(s) with the fix > - Disclose the vulnerability > > Secondly, I think it would be valuable to get the community’s perspective on > the kinds of security threats that a Geode deployment may encounter. Here > are a few questions to spark the conversation: > > - When is a bug a security bug? > - When does a bug require a CVE and disclosure? > - How do we know how severe a security issue is? > - How soon do we need to respond to a security issue? > > Anthony > >> On Apr 4, 2017, at 7:31 AM, Anthony Baker <aba...@apache.org> wrote: >> >> CVE-2017-5649: Apache Geode information disclosure vulnerability >> >> Severity: Medium >> Base score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L) >> >> Vendor: >> The Apache Software Foundation >> >> Versions Affected: >> Geode 1.1.0 >> >> Description: >> When a cluster has enabled security by setting the security-manager >> property, a user should have DATA:READ permission to view data stored >> in the cluster. However, if an authenticated user has CLUSTER:READ >> but not DATA:READ permission they can access the data >> browser page in Pulse. From there the user could execute an OQL query >> that exposes data stored in the cluster. >> >> Mitigation: >> 1.1.0 users should upgrade to 1.1.1 >> >> Credit: >> This issue was discovered by Jinmei Liao. >> >> References: >> https://www.apache.org/security/ >
