Date: Mon, 16 Jun 2014 08:39:28 +1000 From: David Jorm <djorm@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE Hi All I have raised this twice with security@...che.org, on 30 April and June 3. I have received no response either time, therefore I am raising it on oss-security. CVE-2014-0114 describes a well-known issue in Apache Struts 1: "It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions." The root cause of this flaw is that commons-beanutils exposes the class property by default, with no mechanism to disable access to it. Struts 1 is considered EOL upstream, and upstream has not yet shipped a patch for this flaw. Red Hat has shipped a patch, which was submitted upstream as a pull request: https://github.com/apache/struts1/pull/1 This patch disables access to the class property in struts itself, rather than in commons-beanutils. Other frameworks built on commons-beanutils, such as Apache Stripes, are likely to expose similar issues. I think it would be a good idea to also assign a separate CVE ID to commons-beanutils, and ship a patch for commons-beanutils itself. The commons-beanutils patch could be inherited by other frameworks that may not have the resources to produce their own patch. commons-beanutils 1.9.2 has now shipped: http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt Incorporating a patch for this issue: https://issues.apache.org/jira/browse/BEANUTILS-463 "A specialized BeanIntrospector implementation has been added which allows suppressing properties. There is also a pre-configured instance removing the class property from beans. Some notes have been added to the user's guide." I think it would be appropriate to assign a CVE ID to this issue in commons-beanutils, and publish an advisory. This would provide framework developers with the necessary information and impetus to upgrade to commons-beanutils 1.9.2 and make use of SuppressPropertiesBeanIntrospector. Thanks -- David Jorm / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.