[
https://issues.apache.org/jira/browse/CASSANDRA-14612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17419287#comment-17419287
]
Albert Butler commented on CASSANDRA-14612:
-------------------------------------------
Please...do not exclude "commons-collections-3.2.1.jar: CVE-2017-15708" I
have leveraged that vulnerability "in testing" to proove the point to my
superiors that is servious flaw. There is a wel crafted exploit that publicly
available here : [https://github.com/frohoff/ysoserial] That exploit that and
many otherdeserialization jars. . It only took me one hour to download that
exploit code, injects a reverse shel payload into it, and target the system we
wer working on. I reformtted the hard drive. to proove a point. Almost got
fired by my boss, but the customer "a bank" was VERY appreciative of our
due-diligence. FYI other jars that that exploit works against are :
$ java -jar ysoserial.jar Y SO SERIAL? Usage: java -jar ysoserial.jar [payload]
'[command]' Available payload types: Payload Authors Dependencies -------
------- ------------ AspectJWeaver @Jang aspectjweaver:1.9.2,
commons-collections:3.2.2 BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5 C3P0
@mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11 Click1 @artsploit
click-nodeps:2.3.0, javax.servlet-api:3.1.0 Clojure @JackOfMostTrades
clojure:1.8.0 CommonsBeanutils1 @frohoff commons-beanutils:1.9.2,
commons-collections:3.1, commons-logging:1.2 CommonsCollections1 @frohoff
commons-collections:3.1 CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1 CommonsCollections4
@frohoff commons-collections4:4.0 CommonsCollections5 @matthias_kaiser,
@jasinner commons-collections:3.1 CommonsCollections6 @matthias_kaiser
commons-collections:3.1 CommonsCollections7 @scristalli, @hanyrax,
@EdoardoVignati commons-collections:3.1 FileUpload1 @mbechler
commons-fileupload:1.3.1, commons-io:2.4 Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler Hibernate2 @mbechler JBossInterceptors1 @matthias_kaiser
javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1,
javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler JRMPListener @mbechler JSON1 @mbechler
json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0,
commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2,
spring-core:4.1.4.RELEASE, commons-collections:3.1 JavassistWeld1
@matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1,
javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2 MozillaRhino2 @_tint0 js:1.7R2 Myfaces1
@mbechler Myfaces2 @mbechler ROME @mbechler rome:1.0 Spring1 @frohoff
spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE Spring2 @mbechler
spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0,
commons-logging:1.2 URLDNS @gebl Vaadin1 @kai_ullrich vaadin-server:7.7.14,
vaadin-shared:7.7.14 Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
> Please add OWASP Dependency Check to the build (pom.xml)
> --------------------------------------------------------
>
> Key: CASSANDRA-14612
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14612
> Project: Cassandra
> Issue Type: New Feature
> Components: Build
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Assignee: Stefan Miklosovic
> Priority: Normal
> Labels: build, easyfix, security
> Fix For: 3.11.x, 4.x
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an
> outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to
> perform a lookup for each dependant .jar to list any/all known
> vulnerabilities for each jar. This step is needed because a manual MITRE CVE
> lookup/check on the main component does not include checking for
> vulnerabilities in components or in dependant libraries.
> OWASP Dependency check :
> https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most
> Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report
> of all known vulnerabilities in any/all third party libraries/dependencies
> that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false
> clean aggregate
> Generating this report nightly/weekly will help inform the project's
> development team if any dependant libraries have a reported known
> vulnerailities. Project teams that keep up with removing vulnerabilities on a
> weekly basis will help protect businesses that rely on these open source
> componets.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
