[CVE-2020-1952] Apache IoTDB (incubating) Remote Code execution vulnerability

["Dawei Liu" <liudw () apache org>]

Severity: Important


Vendor: The Apache Software Foundation


Versions Affected:
IoTDB  0.9.0 to 0.9.1
IoTDB 0.8.0 to 0.8.2


Description:
When starting IoTDB, the JMX port 31999 is exposed with no certification.
Then, clients could execute code remotely. 


Mitigation: 0.8.x, 0.9.0, and 0.9.1 users should upgrade to 0.9.2.


Example: An Attacker can execute code remotely in the IoTDB server through JMX port.


Credit:  This issue was discovered by WuXiong of QI’ANXIN YunYing Lab.


Regards,
The Apache IoTDB team