I'm happy to hear this is likely not a problem! It is ASF policy to work on security issues in private (https://apache.org/security/committers.html#work-in-private). As such, in the future, please discuss those on priv...@iotdb.apache.org with Cc to secur...@apache.org.
Kind regards, Arnout Engelen ASF Security On 2024/10/02 03:22:26 Yuan Tian wrote: > Hi all, > > About CVE-2024-24780[1][2], I think it may not be a problem in IoTDB. > > The permission to create UDFs is a high-level privilege in IoTDB, and by > default, only the root user has it in IoTDB. Therefore, we believe that > users with this privilege should be responsible for the security of the > cluster. Moreover: > > 1. Even if we disable the function of loading JAR packages from remote > URIs, people with the corresponding permissions can still copy risky JAR > packages to the local disk of the server where the cluster is located and > load them. > 2. Even if we add a whitelist configuration, people who can log in to > the server where the cluster is located can also modify the whitelist > configuration items, rendering it ineffective. > > > Therefore, I believe that maintaining the status quo will not pose a > security risk. > > What do you think? > > [1] https://cveprocess.apache.org/cve5/CVE-2024-24780 > [2] https://lists.apache.org/thread/8logyynghs3s0qsp9lq7tbtyv6llmpvp > > > > Best regards, > ----------------------------- > Yuan Tian >
