CVE-2017-15695
First published: Tue Jun 12 2018(Updated: )
When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Geode | >=1.0.0<=1.4.0 | |
| maven/org.apache.geode:geode-core | >=1.0.0<1.5.0 | 1.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/104465
- https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99@%3Cuser.geode.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2017-15695
- https://github.com/apache/geode/pull/1258
- https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities
- https://issues.apache.org/jira/browse/GEODE-3974
- https://github.com/apache/geode/commit/00be4f9774e1adf8e7ccc2664da8005fc30bb11d
- https://github.com/apache/geode/commit/49d28f93fd2ef069693ce15d124ef3a29f22fb7d
- https://github.com/apache/geode/commit/6df14c8b1e3c644f9f810149e80bba0c2f073dab
- https://github.com/apache/geode/commit/740289c61d60256c6270756bc84b9e24b76e4913
- https://github.com/apache/geode/commit/90f8f6242927c5e16da64f38bba9abf3d450a305
- https://github.com/apache/geode/commit/954ccb545d24a9c9a35cbd84023a4d7e07032de0
- https://github.com/apache/geode/commit/aa469239860778eb46e09dd7b390aee08f152480
- https://github.com/advisories/GHSA-jmg4-x4vp-6c6x (Advisory)
- https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99%40%3Cuser.geode.apache.org%3E
Frequently Asked Questions
What is CVE-2017-15695?
CVE-2017-15695 is a vulnerability in Apache Geode server versions 1.0.0 to 1.4.0 that allows remote code execution when a user with DATA:WRITE privileges is able to deploy code by invoking an internal Geode function.
What is the severity of CVE-2017-15695?
CVE-2017-15695 has a severity rating of 8.8 (High).
How does CVE-2017-15695 occur?
CVE-2017-15695 occurs when an Apache Geode server configured with a security manager allows a user with DATA:WRITE privileges to deploy code by invoking an internal Geode function.
How can CVE-2017-15695 be exploited?
CVE-2017-15695 can be exploited by an attacker with DATA:WRITE privileges to remotely execute code by deploying code through an internal Geode function.
How can CVE-2017-15695 be fixed?
To fix CVE-2017-15695, code deployment should be restricted to users with DATA:MANAGE privilege on Apache Geode servers.
- collector/nvd-index
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jmg4-x4vp-6c6x
- alias/CVE-2017-15695
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/description
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/references
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- agent/trending
- vendor/apache
- canonical/apache geode
- version/apache geode/1.0.0
- version/apache geode/1.4.0
- package-manager/maven