Sorry for that... On Fri, Oct 4, 2024 at 7:36 PM Arnout Engelen <enge...@apache.org> wrote:
> I'm happy to hear this is likely not a problem! > > It is ASF policy to work on security issues in private ( > https://apache.org/security/committers.html#work-in-private). As such, in > the future, please discuss those on priv...@iotdb.apache.org with Cc to > secur...@apache.org. > > > Kind regards, > > Arnout Engelen > ASF Security > > On 2024/10/02 03:22:26 Yuan Tian wrote: > > Hi all, > > > > About CVE-2024-24780[1][2], I think it may not be a problem in IoTDB. > > > > The permission to create UDFs is a high-level privilege in IoTDB, and by > > default, only the root user has it in IoTDB. Therefore, we believe that > > users with this privilege should be responsible for the security of the > > cluster. Moreover: > > > > 1. Even if we disable the function of loading JAR packages from remote > > URIs, people with the corresponding permissions can still copy risky > JAR > > packages to the local disk of the server where the cluster is located > and > > load them. > > 2. Even if we add a whitelist configuration, people who can log in to > > the server where the cluster is located can also modify the whitelist > > configuration items, rendering it ineffective. > > > > > > Therefore, I believe that maintaining the status quo will not pose a > > security risk. > > > > What do you think? > > > > [1] https://cveprocess.apache.org/cve5/CVE-2024-24780 > > [2] https://lists.apache.org/thread/8logyynghs3s0qsp9lq7tbtyv6llmpvp > > > > > > > > Best regards, > > ----------------------------- > > Yuan Tian > > >
