[jira] [Created] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)

Wed, 13 Nov 2019 01:36:29 -0800 

Abhishek Singh created CASSANDRA-15423:
------------------------------------------

             Summary: CVE-2015-2156 (Netty is vulnerable to Information 
Disclosure) 
                 Key: CASSANDRA-15423
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15423
             Project: Cassandra
          Issue Type: Bug
            Reporter: Abhishek Singh


*Description :**Description :* *Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS 3.0: 
7.5
 
 *Weakness :* CVE CWE: 20
 
 *Source :* National Vulnerability Database
 
 *Categories :* Data 
 *Description from CVE :* Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 
4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x 
before 2.3.9 might allow remote attackers to bypass the httpOnly flag on 
cookies and obtain sensitive information by leveraging improper validation of 
cookie name and value characters.
 
 *Explanation :* Netty is vulnerable to Information Disclosure.Multiple methods 
in multiple files improperly validate cookie names and values. This allows the 
presence of single-quote and double-quote characters to break tokenization.A 
remote attacker can exploit this vulnerability by inducing a victim to send a 
crafted request containing quote characters in any parameter value that sets a 
cookie.If that tainted cookie gets reflected in the response, the attacker can 
then use Cross-Site Scripting (XSS) to potentially retrieve the entire cookie 
header, despite the presence of an HttpOnly flag.
The Sonatype security research team discovered that the vulnerability is 
present in all versions prior to 3.9.7.Final and 3.10.x before 3.10.2.Final, 
and not in all the versions before 3.9.8.Final and 3.10.x before 3.10.3.Final 
as the advisory states. 
 *Detection :* The application is vulnerable by using this component if it 
reflects any cookie information in a HTML page, and that page is also prone to 
Cross-Site Scripting (XSS) attacks. 
 *Recommendation :* We recommend upgrading to a version of this component that 
is not vulnerable to this specific issue. 
 *Root Cause :* Cassandra-2.2.5.nupkgCookieDecoder.class : [5.0.0.Alpha1, 
5.0.0.Alpha2)
 
 *Advisories :* Project: 
https://engineering.linkedin.com/security/look-netty_s-recen...
 
 *CVSS Details :* CVE CVSS 3.0: 7.5
*Occurences (Paths) :* [" apache-cassandra.zip/bin/cassandra.in.bat" ; " 
apache-cassandra.zip/bin/cassandra.in.sh" ; " 
apache-cassandra.zip/bin/cqlsh.bat" ; " apache-cassandra.zip/bin/debug-cql.bat" 
; " apache-cassandra.zip/bin/source-conf.ps1" ; " 
apache-cassandra.zip/bin/sstableloader.bat" ; " 
apache-cassandra.zip/bin/sstablescrub.bat" ; " 
apache-cassandra.zip/bin/sstableupgrade.bat" ; " 
apache-cassandra.zip/bin/sstableverify.bat" ; " 
apache-cassandra.zip/bin/stop-server" ; " 
apache-cassandra.zip/bin/stop-server.bat" ; " 
apache-cassandra.zip/bin/stop-server.ps1" ; " 
apache-cassandra.zip/conf/README.txt" ; " 
apache-cassandra.zip/conf/cassandra-rackdc.properties" ; " 
apache-cassandra.zip/conf/cassandra-topology.properties" ; " 
apache-cassandra.zip/conf/commitlog_archiving.properties" ; " 
apache-cassandra.zip/conf/triggers/README.txt" ; " 
apache-cassandra.zip/lib/ST4-4.0.8.jar" ; " 
apache-cassandra.zip/lib/airline-0.6.jar" ; " 
apache-cassandra.zip/lib/antlr-runtime-3.5.2.jar" ; " 
apache-cassandra.zip/lib/commons-cli-1.1.jar" ; " 
apache-cassandra.zip/lib/commons-lang3-3.1.jar" ; " 
apache-cassandra.zip/lib/commons-math3-3.2.jar" ; " 
apache-cassandra.zip/lib/compress-lzf-0.8.4.jar" ; " 
apache-cassandra.zip/lib/concurrentlinkedhashmap-lru-1.4.jar" ; " 
apache-cassandra.zip/lib/disruptor-3.0.1.jar" ; " 
apache-cassandra.zip/lib/ecj-4.4.2.jar" ; " 
apache-cassandra.zip/lib/futures-2.1.6-py2.py3-none-any.zip" ; " 
apache-cassandra.zip/lib/high-scale-lib-1.0.6.jar" ; " 
apache-cassandra.zip/lib/jamm-0.3.0.jar" ; " 
apache-cassandra.zip/lib/javax.inject.jar" ; " 
apache-cassandra.zip/lib/jbcrypt-0.3m.jar" ; " 
apache-cassandra.zip/lib/jcl-over-slf4j-1.7.7.jar" ; " 
apache-cassandra.zip/lib/joda-time-2.4.jar" ; " 
apache-cassandra.zip/lib/json-simple-1.1.jar" ; " 
apache-cassandra.zip/lib/libthrift-0.9.2.jar" ; " 
apache-cassandra.zip/lib/licenses/ST4-4.0.8.txt" ; " 
apache-cassandra.zip/lib/licenses/antlr-runtime-3.5.2.txt" ; " 
apache-cassandra.zip/lib/licenses/compress-lzf-0.8.4.txt" ; " 
apache-cassandra.zip/lib/licenses/concurrent-trees-2.4.0.txt" ; " 
apache-cassandra.zip/lib/licenses/ecj-4.4.2.txt" ; " 
apache-cassandra.zip/lib/licenses/futures-2.1.6.txt" ; " 
apache-cassandra.zip/lib/licenses/high-scale-lib-1.0.6.txt" ; " 
apache-cassandra.zip/lib/licenses/jbcrypt-0.3m.txt" ; " 
apache-cassandra.zip/lib/licenses/jcl-over-slf4j-1.7.7.txt" ; " 
apache-cassandra.zip/lib/licenses/jna-4.2.2.txt" ; " 
apache-cassandra.zip/lib/licenses/jstackjunit-0.0.1.txt" ; " 
apache-cassandra.zip/lib/licenses/log4j-over-slf4j-1.7.7.txt" ; " 
apache-cassandra.zip/lib/licenses/logback-classic-1.1.3.txt" ; " 
apache-cassandra.zip/lib/licenses/logback-core-1.1.3.txt" ; " 
apache-cassandra.zip/lib/licenses/lz4-1.3.0.txt" ; " 
apache-cassandra.zip/lib/licenses/metrics-core-3.1.0.txt" ; " 
apache-cassandra.zip/lib/licenses/metrics-jvm-3.1.0.txt" ; " 
apache-cassandra.zip/lib/licenses/ohc-0.4.4.txt" ; " 
apache-cassandra.zip/lib/licenses/reporter-config-base-3.0.3.txt" ; " 
apache-cassandra.zip/lib/licenses/reporter-config3-3.0.3.txt" ; " 
apache-cassandra.zip/lib/licenses/sigar-1.6.4.txt" ; " 
apache-cassandra.zip/lib/licenses/six-1.7.3.txt" ; " 
apache-cassandra.zip/lib/licenses/slf4j-api-1.7.7.txt" ; " 
apache-cassandra.zip/lib/licenses/stream-2.5.2.txt" ; " 
apache-cassandra.zip/lib/log4j-over-slf4j-1.7.7.jar" ; " 
apache-cassandra.zip/lib/logback-classic-1.1.3.jar" ; " 
apache-cassandra.zip/lib/logback-core-1.1.3.jar" ; " 
apache-cassandra.zip/lib/lz4-1.3.0.jar" ; " 
apache-cassandra.zip/lib/metrics-core-3.1.0.jar" ; " 
apache-cassandra.zip/lib/metrics-logback-3.1.0.jar" ; " 
apache-cassandra.zip/lib/sigar-1.6.4.jar" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-amd64-freebsd-6.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-amd64-linux.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-amd64-solaris.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-ia64-hpux-11.sl" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-ia64-linux.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-pa-hpux-11.sl" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-ppc-aix-5.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-ppc-linux.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-ppc64-aix-5.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-ppc64-linux.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-s390x-linux.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-sparc-solaris.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-sparc64-solaris.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-universal-macosx.dylib" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-universal64-macosx.dylib" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-x86-freebsd-5.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-x86-freebsd-6.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-x86-linux.so" ; " 
apache-cassandra.zip/lib/sigar-bin/libsigar-x86-solaris.so" ; " 
apache-cassandra.zip/lib/sigar-bin/sigar-amd64-winnt.dll" ; " 
apache-cassandra.zip/lib/sigar-bin/sigar-x86-winnt.dll" ; " 
apache-cassandra.zip/lib/sigar-bin/sigar-x86-winnt.lib" ; " 
apache-cassandra.zip/lib/six-1.7.3-py2.py3-none-any.zip" ; " 
apache-cassandra.zip/lib/slf4j-api-1.7.7.jar" ; " 
apache-cassandra.zip/lib/snakeyaml-1.11.jar" ; " 
apache-cassandra.zip/lib/snappy-java-1.1.1.7.jar" ; " 
apache-cassandra.zip/lib/stream-2.5.2.jar" ; " 
apache-cassandra.zip/lib/thrift-server-0.3.7.jar" ; " 
apache-cassandra.zip/pylib/cqlshlib/__init__.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/saferscanner.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/sslhandling.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/test/ansi_colors.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/test/basecase.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/test/test_cql_parsing.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/test/test_cqlsh_commands.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/test/test_cqlsh_invocation.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/test/test_cqlsh_parsing.py" ; " 
apache-cassandra.zip/pylib/cqlshlib/test/winpty.py" ; " 
apache-cassandra.zip/tools/bin/cassandra-stress.bat" ; " 
apache-cassandra.zip/tools/bin/cassandra.in.bat" ; " 
apache-cassandra.zip/tools/bin/cassandra.in.sh" ; " 
apache-cassandra.zip/tools/bin/sstableexpiredblockers.bat" ; " 
apache-cassandra.zip/tools/bin/sstablelevelreset.bat" ; " 
apache-cassandra.zip/tools/bin/sstablemetadata.bat" ; " 
apache-cassandra.zip/tools/bin/sstableofflinerelevel.bat" ; " 
apache-cassandra.zip/tools/bin/sstablerepairedset.bat" ; " 
apache-cassandra.zip/tools/bin/sstablesplit.bat"]
*CVE :* CVE-2015-2156
*URL :* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to