Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 07 Jul 2014 12:33:55 +1000
From: David Jorm <djorm@...hat.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: CVE request for commons-beanutils: 'class' property
 is exposed, potentially leading to RCE

Given that no one else has replied, I have now assigned CVE-2014-3540 to 
this flaw via the Red Hat CNA:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3540

Thanks
David

On 06/27/2014 06:00 PM, Arun Babu Neelicattu wrote:
> Hi,
>
> Is there a decision on this one? Did this one get missed?
>
> -arun
>
> ----- Original Message -----
>> From: "David Jorm" <djorm@...hat.com>
>> To: oss-security@...ts.openwall.com
>> Sent: Monday, June 16, 2014 8:39:28 AM
>> Subject: [oss-security] CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
>>
>> Hi All
>>
>> I have raised this twice with security@...che.org, on 30 April and June
>> 3. I have received no response either time, therefore I am raising it on
>> oss-security.
>>
>> CVE-2014-0114 describes a well-known issue in Apache Struts 1:
>>
>> "It was found that the Struts 1 ActionForm object allowed access to the
>> 'class' parameter, which is directly mapped to the getClass() method. A
>> remote attacker could use this flaw to manipulate the ClassLoader used
>> by an application server running Struts 1. This could lead to remote
>> code execution under certain conditions."
>>
>> The root cause of this flaw is that commons-beanutils exposes the class
>> property by default, with no mechanism to disable access to it. Struts 1
>> is considered EOL upstream, and upstream has not yet shipped a patch for
>> this flaw. Red Hat has shipped a patch, which was submitted upstream as
>> a pull request:
>>
>> https://github.com/apache/struts1/pull/1
>>
>> This patch disables access to the class property in struts itself,
>> rather than in commons-beanutils. Other frameworks built on
>> commons-beanutils, such as Apache Stripes, are likely to expose similar
>> issues. I think it would be a good idea to also assign a separate CVE ID
>> to commons-beanutils, and ship a patch for commons-beanutils itself. The
>> commons-beanutils patch could be inherited by other frameworks that may
>> not have the resources to produce their own patch.
>>
>> commons-beanutils 1.9.2 has now shipped:
>>
>> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
>>
>> Incorporating a patch for this issue:
>>
>> https://issues.apache.org/jira/browse/BEANUTILS-463
>>
>> "A specialized BeanIntrospector implementation has been added which
>> allows suppressing properties. There is also a pre-configured instance
>> removing the class property from beans. Some notes have been added to
>> the user's guide."
>>
>> I think it would be appropriate to assign a CVE ID to this issue in
>> commons-beanutils, and publish an advisory. This would provide framework
>> developers with the necessary information and impetus to upgrade to
>> commons-beanutils 1.9.2 and make use of SuppressPropertiesBeanIntrospector.
>>
>> Thanks
>> --
>> David Jorm / Red Hat Product Security
>>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ