'[jira] [Reopened] (JUDDI-1003) spring-web jar supplied with latest JUDDI distribution has security v'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scout-dev
Subject:    [jira] [Reopened] (JUDDI-1003) spring-web jar supplied with latest JUDDI distribution has security v
From:       "Amol Bhonsle (Jira)" <juddi-dev () ws ! apache ! org>
Date:       2020-02-26 5:15:00
Message-ID: JIRA.13279595.1579095658000.10528.1582694100246 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/JUDDI-1003?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Amol Bhonsle reopened JUDDI-1003:
---------------------------------

spring-web-5.2.3.RELEASE has the same issue. However, if you upgrade to \
spring-web-5.2.4.RELEASE, it is free from vulnerability. This has been released \
yesterday only. Please explore this option.

> spring-web jar supplied with latest JUDDI distribution has security vulnerability
> ---------------------------------------------------------------------------------
> 
> Key: JUDDI-1003
> URL: https://issues.apache.org/jira/browse/JUDDI-1003
> Project: jUDDI
> Issue Type: Bug
> Components: juddi-tomcat
> Affects Versions: 3.3.6, 3.3.7
> Reporter: Amol Bhonsle
> Assignee: Alex O'Ree
> Priority: Major
> Fix For: 3.3.8
> 
> 
> The jar for spring-web (JUDDI 3.3.7 comes with spring-web-3.2.18.RELEASE) which is \
> provided in distribution has following Security Vulnerability. 
> The  {{org.springframework:spring-web}}  package is vulnerable to deserialization \
> of untrusted data leading to Remote Code Execution (RCE). The  \
> {{readRemoteInvocation}}  method in  {{HttpInvokerServiceExporter.class}}  does not \
> properly verify or restrict untrusted objects prior to deserializing them. An \
> attacker can exploit this vulnerability by sending malicious requests containing \
> crafted objects, which when deserialized, execute arbitrary code on the vulnerable \
> system. 
> The  {{spring-core}}  and  {{spring-web}}  modules of Spring Framework are \
> vulnerable to a multipart content pollution vulnerability. The  \
> {{generateMultipartBoundary()}}  method in the  {{MimeTypeUtils}}  class uses a \
> predictable method of generating random values to use as boundary values for \
> multipart requests to other servers. This means that an attacker may be able to \
> predict the boundary values and inject them into requests at unexpected locations, \
> causing the recipient server to incorrectly interpret the multipart request. This \
> will result in unexpected behavior depending on the requests being processed, \
> including privilege escalation if authorization data is sent in the multipart \
> request. Note:
> {quote}In order for the attacker to succeed, they would have to be able to guess \
> the multipart boundary value chosen by server A for the multipart request to server \
> B, which requires the attacker to also have control of the server or the ability to \
> see the HTTP log of server A through a separate attack vector. {quote}
> 
> Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks. The  \
> {{HiddenHttpMethodFilter}}  class lets an attacker change the HTTP request method \
> to  {{TRACE}}. An attacker can exploit this behavior with an Cross-Site Scripting \
> (XSS) attack by sending a TRACE request and recovering information that would not \
> normally be accessible, such as Cookies with the HTTPOnly flag. 
> Please check and provide fix for this.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic