Versions Affected: Aurora 0.10.0 to 0.18.0 Description: The affected versions of the scheduler rely on a version of Apache Shiro which is vulnerable to CVE-2016-4437. Under certain conditions, the vulnerability allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Mitigation: 0.18.0 users should upgrade to 0.18.1 0.10.0 - 0.17.0 users should upgrade to 0.18.1 or apply this patch https://git-wip-us.apache.org/repos/asf?p=aurora.git;a=commit;h=ec640117 Alternatively, INI configuration mitigations outlined in CVE-2016-4437 may be applied. Credit: This issue was discovered by Greg Harris from the Fitbit Security team.