Improper Authorization in Apache IoTDB

#VU27368 Improper Authorization in Apache IoTDB

Published: 2020-04-27

Vulnerability identifier: #VU27368

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-1952

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache IoTDB
Server applications / Database software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain unauthorized access to the system.

The vulnerability exists due to missing authorization for the JMX port 31999. A remote non-authenticated attacker can send request to the JMX port and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache IoTDB: 0.8.0 - 0.9.1

External links
http://seclists.org/oss-sec/2020/q2/73

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Remote code execution in Apache IoTDB