Date: Mon, 7 Jul 2014 22:20:19 -0400 (EDT) From: cve-assign@...re.org To: djorm@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://openwall.com/lists/oss-security/2014/06/15/10 > "A specialized BeanIntrospector implementation has been added which > allows suppressing properties. There is also a pre-configured instance > removing the class property from beans. Some notes have been added to > the user's guide." > > I think it would be appropriate to assign a CVE ID to this issue As far as we can tell, these are the specific commons-beanutils changes for which you proposed to have a CVE ID: http://svn.apache.org/viewvc?view=revision&revision=1597345 http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/package-info.java?r1=1597345&r2=1597344&pathrev=1597345 Because the class property is undesired in many use cases there is already an instance of SuppressPropertiesBeanIntrospector which is configured to suppress this property. http://svn.apache.org/viewvc?view=revision&revision=1597344 http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?r1=1597344&r2=1597343&pathrev=1597344 public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class")); http://svn.apache.org/viewvc?view=revision&revision=1597343 http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?revision=1597343&view=co&pathrev=1597343 public class SuppressPropertiesBeanIntrospector implements BeanIntrospector (Note that the last version of Apache Struts 1, version 1.3.10, bundles commons-beanutils-1.8.0.jar in its lib directory. The 1.8.0 codebase obviously does not have the recently introduced SuppressPropertiesBeanIntrospector class. To the extent that "The root cause of this [CVE-2014-0114] flaw is that commons-beanutils exposes the class property by default," we have a situation with the same problem in two copies of the same original codebase, i.e., the copy bundled in struts-1.3.10-all.zip from http://struts.apache.org/download.cgi and the copy found at the http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.1-src.zip URL. In this context, the same problem cannot be represented by two different CVE IDs.) The entire set of changes from the above http://svn.apache.org URLs makes it easier to use commons-beanutils safely, but it does not change the default configuration or behavior in any way, and is thus not eligible for a CVE ID. In particular, the 1597344 change has this documentation: Adding this instance as BeanIntrospector to an instance of PropertyUtilsBean suppresses the class property; it can then no longer be accessed. This is an additional step that would need to be followed for any currently shipped product that relies on commons-beanutils. Simply picking up version 1.9.2 does not solve the problem. The product's source code must additionally be modified by (for example) changing or adding an addBeanIntrospector method call. Points that you raise, such as: - This would provide framework developers with the necessary information and impetus to upgrade - The commons-beanutils patch could be inherited by other frameworks that may not have the resources to produce their own patch are worthwhile, but the scope of the CVE project does not include IDs that exist only for a communication/outreach goal. We are proceeding in this way: - immediately REJECT CVE-2014-3540 because, at the level of abstraction used by CVE, a second CVE ID is not required - at the same time, change the CVE-2014-0114 description and references to emphasize your important finding about the root cause. For example, the new CVE-2014-0114 description may be similar to: Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. If any other product makes a security announcement that they have added addBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS) or equivalent code as a change to the default behavior, then there can be an individual CVE ID for that product. However, if any other product simply makes a security announcement that they have decided to ship commons-beanutils 1.9.2 -- but the class property remains exposed in the product as it is shipped and installed by default -- then a CVE ID would not be assigned. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTu1Q8AAoJEKllVAevmvmsbboH/1V6JmrC2teZ9IUlxUJhJMq+ LK12/O3Iwfwevj0qaf8NuLhFi/wfCqURpMl2RbeeEC+xsYFY0VaJpZF7ixIRaMuB dh6Ix5Qe/hEeOFJDLOuMkT4m41mN8dItwfv/iQw2qkWn/+DOUsvMf2pxxLzUN/M8 yBPCtx0QK83CS/utM3FQmmQEN2V9eVqNLijgLLgt2xR1boJXr9PFWiMOf2mov2y/ FVOc/CkLQa/AOfB8yee7gujmQwekKb8hLpEdWdPMWNkKFwsIhHc5UJBS366z96Yv B5P1xZwBqAMpdAgo2dGXrUSBLdeAa/XOJMXeoJBz+fskXdst4AsTMgBTxPer5OI= =tvsw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.