Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 07 Jul 2014 12:33:55 +1000
From: David Jorm <djorm@...hat.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: CVE request for commons-beanutils: 'class' property
 is exposed, potentially leading to RCE

Given that no one else has replied, I have now assigned CVE-2014-3540 to 
this flaw via the Red Hat CNA:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3540

Thanks
David

On 06/27/2014 06:00 PM, Arun Babu Neelicattu wrote:
> Hi,
>
> Is there a decision on this one? Did this one get missed?
>
> -arun
>
> ----- Original Message -----
>> From: "David Jorm" <djorm@...hat.com>
>> To: oss-security@...ts.openwall.com
>> Sent: Monday, June 16, 2014 8:39:28 AM
>> Subject: [oss-security] CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
>>
>> Hi All
>>
>> I have raised this twice with security@...che.org, on 30 April and June
>> 3. I have received no response either time, therefore I am raising it on
>> oss-security.
>>
>> CVE-2014-0114 describes a well-known issue in Apache Struts 1:
>>
>> "It was found that the Struts 1 ActionForm object allowed access to the
>> 'class' parameter, which is directly mapped to the getClass() method. A
>> remote attacker could use this flaw to manipulate the ClassLoader used
>> by an application server running Struts 1. This could lead to remote
>> code execution under certain conditions."
>>
>> The root cause of this flaw is that commons-beanutils exposes the class
>> property by default, with no mechanism to disable access to it. Struts 1
>> is considered EOL upstream, and upstream has not yet shipped a patch for
>> this flaw. Red Hat has shipped a patch, which was submitted upstream as
>> a pull request:
>>
>> https://github.com/apache/struts1/pull/1
>>
>> This patch disables access to the class property in struts itself,
>> rather than in commons-beanutils. Other frameworks built on
>> commons-beanutils, such as Apache Stripes, are likely to expose similar
>> issues. I think it would be a good idea to also assign a separate CVE ID
>> to commons-beanutils, and ship a patch for commons-beanutils itself. The
>> commons-beanutils patch could be inherited by other frameworks that may
>> not have the resources to produce their own patch.
>>
>> commons-beanutils 1.9.2 has now shipped:
>>
>> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
>>
>> Incorporating a patch for this issue:
>>
>> https://issues.apache.org/jira/browse/BEANUTILS-463
>>
>> "A specialized BeanIntrospector implementation has been added which
>> allows suppressing properties. There is also a pre-configured instance
>> removing the class property from beans. Some notes have been added to
>> the user's guide."
>>
>> I think it would be appropriate to assign a CVE ID to this issue in
>> commons-beanutils, and publish an advisory. This would provide framework
>> developers with the necessary information and impetus to upgrade to
>> commons-beanutils 1.9.2 and make use of SuppressPropertiesBeanIntrospector.
>>
>> Thanks
>> --
>> David Jorm / Red Hat Product Security
>>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.