[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request for commons-beanutils: 'class' property is exposed, potentially leadi
From:       Arun Babu Neelicattu <abn () redhat ! com>
Date:       2014-06-27 8:00:38
Message-ID: 1251940714.23099142.1403856038932.JavaMail.zimbra () redhat ! com
[Download RAW message or body]

Hi,

Is there a decision on this one? Did this one get missed?

-arun

----- Original Message -----
> From: "David Jorm" <djorm@redhat.com>
> To: oss-security@lists.openwall.com
> Sent: Monday, June 16, 2014 8:39:28 AM
> Subject: [oss-security] CVE request for commons-beanutils: 'class' property is exposed, \
> potentially leading to RCE 
> Hi All
> 
> I have raised this twice with security@apache.org, on 30 April and June
> 3. I have received no response either time, therefore I am raising it on
> oss-security.
> 
> CVE-2014-0114 describes a well-known issue in Apache Struts 1:
> 
> "It was found that the Struts 1 ActionForm object allowed access to the
> 'class' parameter, which is directly mapped to the getClass() method. A
> remote attacker could use this flaw to manipulate the ClassLoader used
> by an application server running Struts 1. This could lead to remote
> code execution under certain conditions."
> 
> The root cause of this flaw is that commons-beanutils exposes the class
> property by default, with no mechanism to disable access to it. Struts 1
> is considered EOL upstream, and upstream has not yet shipped a patch for
> this flaw. Red Hat has shipped a patch, which was submitted upstream as
> a pull request:
> 
> https://github.com/apache/struts1/pull/1
> 
> This patch disables access to the class property in struts itself,
> rather than in commons-beanutils. Other frameworks built on
> commons-beanutils, such as Apache Stripes, are likely to expose similar
> issues. I think it would be a good idea to also assign a separate CVE ID
> to commons-beanutils, and ship a patch for commons-beanutils itself. The
> commons-beanutils patch could be inherited by other frameworks that may
> not have the resources to produce their own patch.
> 
> commons-beanutils 1.9.2 has now shipped:
> 
> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
> 
> Incorporating a patch for this issue:
> 
> https://issues.apache.org/jira/browse/BEANUTILS-463
> 
> "A specialized BeanIntrospector implementation has been added which
> allows suppressing properties. There is also a pre-configured instance
> removing the class property from beans. Some notes have been added to
> the user's guide."
> 
> I think it would be appropriate to assign a CVE ID to this issue in
> commons-beanutils, and publish an advisory. This would provide framework
> developers with the necessary information and impetus to upgrade to
> commons-beanutils 1.9.2 and make use of SuppressPropertiesBeanIntrospector.
> 
> Thanks
> --
> David Jorm / Red Hat Product Security
> 


[prev in list] [next in list] [prev in thread] [next in thread]