OpenTSDB Vulnerability to Remote Code Execution

This section describes a security issue in OpenTSDB. MapR recommends that you update to OpenTSDB 2.3.0 included with MEP 3.0, MEP 2.0.1, and MEP 1.1.2.

Vulnerability OpenTSDB versions prior to 2.3.0 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the targeted system. An unauthenticated, remote attacker could exploit the vulnerability by transmitting crafted requests to an OpenTSDB listening port. A successful attack could allow the attacker to execute arbitrary commands on the targeted system with elevated privileges.
Mitigation MapR recommends that you update to OpenTSDB 2.3.0 included with MEP 3.0, MEP 2.0.1, and MEP 1.1.2. For a short-term solution, use firewalls to block access to the port(s) from unauthorized access.
Products Affected OpenTSDB versions before 2.3.0.
Impact Requesting a PNG with certain URI parameters could allow remote code execution.
Severity Critical for OpenTSDB users.
Bug Tracking No related MapR bugs.
References