PT-2020-18454 · Vmware · Vmware Gemfire+1
Published
2020-07-31
·
Updated
2020-08-04
·
CVE-2020-5396
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
VMware GemFire versions prior to 9.10.0
VMware GemFire versions prior to 9.9.2
VMware GemFire versions prior to 9.8.7
VMware GemFire versions prior to 9.7.6
VMware Tanzu GemFire for VMs versions prior to 1.11.1
VMware Tanzu GemFire for VMs versions prior to 1.10.2
Description
The issue is related to an insecure default configuration in the JMX service of the affected software. When deployed without a SecurityManager, this configuration allows a malicious user to create an MLet mbean, which can lead to remote code execution.
Recommendations
For VMware GemFire versions prior to 9.10.0, update to version 9.10.0 or later.
For VMware GemFire versions prior to 9.9.2, update to version 9.9.2 or later.
For VMware GemFire versions prior to 9.8.7, update to version 9.8.7 or later.
For VMware GemFire versions prior to 9.7.6, update to version 9.7.6 or later.
For VMware Tanzu GemFire for VMs versions prior to 1.11.1, update to version 1.11.1 or later.
For VMware Tanzu GemFire for VMs versions prior to 1.10.2, update to version 1.10.2 or later.
Fix
Improper Access Control
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vmware Gemfire
Vmware Tanzu Gemfire For Vms