Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jun 2014 04:00:38 -0400 (EDT)
From: Arun Babu Neelicattu <abn@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request for commons-beanutils: 'class'
 property is exposed, potentially leading to RCE

Hi,

Is there a decision on this one? Did this one get missed?

-arun

----- Original Message -----
> From: "David Jorm" <djorm@...hat.com>
> To: oss-security@...ts.openwall.com
> Sent: Monday, June 16, 2014 8:39:28 AM
> Subject: [oss-security] CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
> 
> Hi All
> 
> I have raised this twice with security@...che.org, on 30 April and June
> 3. I have received no response either time, therefore I am raising it on
> oss-security.
> 
> CVE-2014-0114 describes a well-known issue in Apache Struts 1:
> 
> "It was found that the Struts 1 ActionForm object allowed access to the
> 'class' parameter, which is directly mapped to the getClass() method. A
> remote attacker could use this flaw to manipulate the ClassLoader used
> by an application server running Struts 1. This could lead to remote
> code execution under certain conditions."
> 
> The root cause of this flaw is that commons-beanutils exposes the class
> property by default, with no mechanism to disable access to it. Struts 1
> is considered EOL upstream, and upstream has not yet shipped a patch for
> this flaw. Red Hat has shipped a patch, which was submitted upstream as
> a pull request:
> 
> https://github.com/apache/struts1/pull/1
> 
> This patch disables access to the class property in struts itself,
> rather than in commons-beanutils. Other frameworks built on
> commons-beanutils, such as Apache Stripes, are likely to expose similar
> issues. I think it would be a good idea to also assign a separate CVE ID
> to commons-beanutils, and ship a patch for commons-beanutils itself. The
> commons-beanutils patch could be inherited by other frameworks that may
> not have the resources to produce their own patch.
> 
> commons-beanutils 1.9.2 has now shipped:
> 
> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
> 
> Incorporating a patch for this issue:
> 
> https://issues.apache.org/jira/browse/BEANUTILS-463
> 
> "A specialized BeanIntrospector implementation has been added which
> allows suppressing properties. There is also a pre-configured instance
> removing the class property from beans. Some notes have been added to
> the user's guide."
> 
> I think it would be appropriate to assign a CVE ID to this issue in
> commons-beanutils, and publish an advisory. This would provide framework
> developers with the necessary information and impetus to upgrade to
> commons-beanutils 1.9.2 and make use of SuppressPropertiesBeanIntrospector.
> 
> Thanks
> --
> David Jorm / Red Hat Product Security
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.