[
https://issues.apache.org/jira/browse/VELTOOLS-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16105338#comment-16105338
]
Mark Symons commented on VELTOOLS-170:
--------------------------------------
I am not a developer and so am not able to really opine on the fix
recommendation... merely pass on the recommendation.
I have checked the current status of the threat warning and it has changed
slightly.
h4.Explanation
Text added:
Note: This vulnerability is also the root cause of
[CVE-2017-3503|https://nvd.nist.gov/vuln/detail/CVE-2017-3503].
h4.Recommendation
{{commons-beanutils}} added a {{SuppressPropertiesBeanIntrospector}} which
includes a specialized instance of itself as the {{SUPPRESS_CLASS}} constant in
version 1.9.2 that specifically suppresses the {{class}} property. However,
this is not enabled by default.
We recommend filtering the {{class}} property name by using either:
* The {{SUPPRESS_CLASS}} specialized instance of
{{SuppressPropertiesBeanIntrospector}}
* A custom instance of {{SuppressPropertiesBeanIntrospector}} that will
suppress the class property.
Alternatively, you can implement a custom servlet filter as described in
https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
> Upgrade beanutils to 1.9.2 & supress access to class and Class
> --------------------------------------------------------------
>
> Key: VELTOOLS-170
> URL: https://issues.apache.org/jira/browse/VELTOOLS-170
> Project: Velocity Tools
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.0
> Reporter: Mark Symons
> Priority: Critical
>
> Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and
> mitigate CVE-2014-0114. See BEANUTILS-463 for fix info.
> Velocity Tools v2.0 currently uses bean-utils v1.7.0
> Whilst the CVE text references beanutils v1.8.0, Black Duck Hub threat
> analysis have updated affected versions to include 1.7.0.
> {quote}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
> in Apache Struts 1.x through 1.3.10 and in other products requiring
> commons-beanutils through 1.9.2, does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
> code via the class parameter, as demonstrated by the passing of this
> parameter to the getClass method of the ActionForm object in Struts 1.
> {quote}
> h5.CVSS Version 2 Metrics:
> Access Vector: Network exploitable
> Access Complexity: Low
> Authentication: Not required to exploit
> Impact Type:
> * Allows unauthorized disclosure of information
> * Allows unauthorized modification
> * Allows disruption of service
> h3.Edit: 28th November 2016
> Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November
> 2016). From the vulnerability information provided (and highlighting in red
> the bit that applies to Velocity Tools):
> {quote}
> h4.Explanation
> Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can
> lead to Remote Code Execution (RCE). Access to the {{class}} and {{Class}}
> properties is not suppressed, exposing them by default. An attacker can
> construct malicious input using the {{class property}} in order to manipulate
> the {{ClassLoader}} potentially leading to arbitrary code execution.
> h4.Detection
> {color:red}If you are the calling application, you are vulnerable by running
> this component without filtering the property names {{class}} and
> {{Class}}{color}. If this is a transitive dependency, you will want to
> contact the parent project to ensure they have added a mitigating control.
> Note: If you are using the built-in implementation of
> {{SuppressPropertiesBeanIntrospector}} added in version 1.9.2 of
> {{commons-beanutils}} as your mitigation you are still vulnerable. Although
> the built-in implementation specifically suppresses the {{class}} properly,
> it does not also suppress {{Class}}.
> h4.Recommendation
> Although commons-beanutils offers a built-in implementation of
> SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically
> suppresses the “class” properly, it does not also suppress “Class”. Due to
> this insufficient fix which is also not enabled by default, we recommend
> implementing your own custom mitigating control such as the one found here -
> https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
> {quote}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
