CVE-2020-24231

Name of the Vulnerable Software and Affected Versions Symmetric DS versions prior to 3.12.0

Description The issue allows an attacker to interact with JMX, which can lead to arbitrary code execution. This is possible because mx4j, used by Symmetric DS to provide access to JMX over HTTP, has no authentication by default and is available on all interfaces. An attacker can get system information, invoke MBean methods, and install additional MBeans from a remote host using MLet.

Recommendations For Symmetric DS versions prior to 3.12.0, consider disabling access to JMX over HTTP or restricting it to specific interfaces and implementing authentication to prevent unauthorized access. As a temporary workaround, consider disabling the MLet functionality to prevent the installation of additional MBeans from remote hosts.