It's important to note that even a trusted node may attempt to gain access to resources without having sufficient rights, but it does so in a standard way by using the exposed standard API.įile system mechanisms (the same that is used to protect the integrity of the Java runtime libraries) and standard Java security policy could be used to resolve an issue of guarantying the trustworthiness of a given single node. Alternatively, a cluster node that never attempts to gain unauthorized access to clustered resources by using nonstandard means will be called a "trusted" node. They could range from attempts to get protected or private class data using reflection, replacing classes in the distribution ( coherence.jar or other application binaries), modifying classes on-the-fly using custom class loader(s) and so on. Let's call a cluster node that may try to gain unauthorized access to clustered resources by using nonstandard means as a "malicious" node. We assume that when there is data shared between two cluster nodes either node could be a malicious one - lacking sufficient credentials to join a clustered service or obtain access to a clustered resource. Since Coherence is a system providing distributed data management and computing, the security subsystem is designed to operate in a partially hostile environment. While the senior member does not have to consult anyone when accessing a clustered resource, any junior node willing to join that service has to request and receive a confirmation from the senior member, which in turn notifies all other cluster nodes about the joining node. See "Enabling the Default Access Controller Implementation".Įach clustered service in Coherence maintains a concept of a senior service member (cluster node), which serves as a controlling agent for a particular service. The specified class must implement the .AccessController interface.Ĭoherence provides a default Access Controller implementation that is based on the Key Management infrastructure that is shipped as a standard part of Sun's JDK. The Access Controller is a pluggable component that could be declared in the Coherence deployment descriptor, tangosol-coherence.xml. Grant or deny access to a protected clustered resource based on the caller's permissionsĮncrypt outgoing communications based on the caller's private credentialsĭecrypt incoming communications based on the caller's public credentialsĬoherence uses a local Login Module (see JAAS Reference Guide for details) to authenticate the caller and an Access Controller on one or more cluster nodes to verify the caller's access rights. The Access Controller serves three purposes: Joining an existing clustered cache or service This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.The Access Controller manages access to clustered resources, such as clustered services and caches and controls operations that include (but are not limited to) the following:Ĭreating a new clustered cache or service Necessarily indicate when this vulnerability wasĭiscovered, shared with the affected vendor, publicly The CVE ID was allocated or reserved, and does not The list is not intended to be complete.ĭisclaimer: The record creation date may reflect when Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |