JMX Insecure Default Configuration in GemFire
CVE-2020-5396

8.8HIGH

Key Information:

Vendor: Vmware Tanzu
Status: Vmware Tanzu Gemfire For Vms; Vmware Gemfire
Vendor: CVE Published:; 31 July 2020

🔔 Create Vmware Tanzu Vulnerability Alert

What is CVE-2020-5396?

VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution.

Affected Version(s)

VMware GemFire 9.7 < 9.7.6

VMware GemFire 9.8 < 9.8.7

VMware GemFire 9.9 < 9.9.2

References

https://tanzu.vmware.com/security/cve-2020-5396

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2020
Vulnerability Reserved
Jan 3, 2020