-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: FIS 2.0
-
Fix Version/s: fuse-7.0
-
Component/s: FIS-Productization Pipeline
-
Epic Link:
-
Security Sensitive Issue:This issue is security relevant
Security Tracking Issue
Do not make this issue public.
This bug is subject to the Security Errata Policy.
The overall impact of the blocking security issue(s) is Important. Based on this impact, this bug must be resolved by 02-May-2018.
Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata
Flaw:
CVE-2018-1295 ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints
https://bugzilla.redhat.com/show_bug.cgi?id=1563133
Apache Ignite serialization mechanism does not have a list of classes
allowed for serialization/deserialization, which makes it possible to run
arbitrary code when 3-rd party vulnerable classes are present in Ignite
classpath. The vulnerability can be exploited if the one sends a specially
prepared form of a serialized object to one of the deserialization
endpoints of some Ignite components - discovery SPI, Ignite persistence,
Memcached endpoint, socket steamer.
External References:
- cloned to
-
-
- Closed
-
