CVE-2020-5396: JMX Insecure Default Configuration in GemFire
23908
30 July 2020
30 July 2020
CLOSED
CRITICAL
CVE-2020-5396
Severity
Critical
Vendor
VMware Tanzu
Description
VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution.Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- VMware GemFire
- 9.7 versions prior to 9.7.6
- 9.8 versions prior to 9.8.7
- 9.9 versions prior to 9.9.2
- VMware Tanzu GemFire for VMs
- 1.10 versions prior to 1.10.2
- 1.11 versions prior to 1.11.1
Mitigation
- VMware GemFire
- 9.7.6
- 9.8.7
- 9.9.2
- 9.10.0
- VMware Tanzu GemFire for VMs
- 1.10.2
- 1.11.1
Credit
An Trinh
References
History
2020-07-30: Initial vulnerability report published.