This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-configuration.git
The following commit(s) were added to refs/heads/master by this push:
new 44dedf5d Describe the security model (#540)
44dedf5d is described below
commit 44dedf5d039a1129e53a1434808beb5b591ab3b7
Author: Arnout Engelen <[email protected]>
AuthorDate: Fri Feb 7 20:11:28 2025 +0100
Describe the security model (#540)
* Describe the security model
For 2.x we intend not to allow code execution or DoS issues when
loading and processing untrusted configurations.
* Grammar and wordiness
---------
Co-authored-by: Gary Gregory <[email protected]>
---
src/site/xdoc/security.xml | 39 +++++++++++++++++++++------------------
1 file changed, 21 insertions(+), 18 deletions(-)
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index b1a119c5..4fed7978 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -24,24 +24,28 @@
<p>
This page lists all security vulnerabilities fixed in released
versions of this component.
</p>
-
<p>
- Please note that binary patches are never provided. If you
need to apply a source code patch, use the
- building instructions for the component version that you are
using.
+ Binary patches are never provided. Refer to a component's
building instructions to apply source patches.
</p>
-
<p>
- If you need help on building this component or other help on
following the instructions to
+ If you need help building this component or other help
following the instructions to
mitigate the known vulnerabilities listed here, please send
your questions to the public
<a href="mail-lists.html">user mailing list</a>.
</p>
-
<p>
- If you have encountered an unlisted security vulnerability or
other unexpected behavior that has security
+ If you have encountered an unlisted security vulnerability or
other unexpected behavior that has a security
impact, or if the descriptions here are incomplete, please
report them privately to the Apache Security
Team. Thank you.
</p>
-
+ <subsection name="Security Model">
+ <p>
+ The <a
href="https://commons.apache.org/security.html#Security_Model";>Apache Commons
security model</a>
+ specifies that it is unsafe to pass possibly malicious
input to Commons libraries.
+ For Commons Configuration 2.x, loading untrusted
configuration files or performing operations
+ on them should not allow code execution, and should not
cause any denial of service situations.
+ 'Denial of service' here means causing resource usage
disproportionate to the input size.
+ </p>
+ </subsection>
<subsection name="CVE-2022-33980 prior to 2.8.0, RCE when applied
to untrusted input">
<p>
On 2022-07-06, the Apache Commons Configuration team
disclosed
@@ -50,19 +54,19 @@
</p>
<ul>
<li>
- If you rely on software that uses a version of
commons-configuration prior to 2.8.0, you are likely
+ If you rely on software that uses a version of
commons-configuration before 2.8.0, you are likely
still not vulnerable: only if this software loads
configuration
files from untrusted sources, which is likely rare.
</li>
<li>
- If your own software uses commons-configuration,
double-check whether it loads
+ If your software uses Commons Configuration,
double-check whether it loads
configuration files from untrusted sources. If so,
an update to 2.8.0 could be a
- quick workaround, but the recommended solution is
to also properly validate and sanitize the
+ quick workaround, but the recommended solution is
to validate and sanitize
untrusted input.
</li>
</ul>
<p>
- Apache Commons Configuration is a library to read
configuration data from a variety of sources.
+ Apache Commons Configuration is a library that reads
configuration data from many sources.
It supports variable interpolation with lookups using
various mechanisms, such as system properties
or environment variables. Some of the available
interpolators can trigger network
access or code execution. This is intended, but it also
means an application that includes user
@@ -70,15 +74,14 @@
attacker to trigger those interpolators.
</p>
<p>
- For that reason the Apache Commons Configuration team have
decided to update the list of interpolators
- that are enabled by default to be more
- conservative, so that the impact of a failure to validate
inputs is mitigated and will not
+ For that reason, the Apache Commons Configuration team
decided to update the list of interpolators
+ enabled by default to be more conservative, so that the
impact of a failure to validate inputs is mitigated and will not
give an attacker access to these interpolators. However,
it is still recommended that users treat
untrusted input with care.
</p>
<p>
We're not currently aware of any applications that load
untrusted input as configuration
- and thus would have been impacted by this problem prior to
Apache Commons Configuration 2.8.0.
+ and thus would have been impacted by this problem before
Apache Commons Configuration 2.8.0.
</p>
<p>
This issue is different from
@@ -118,7 +121,7 @@
</p>
<p>
This Out-of-bounds Write vulnerability in Apache Commons
Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
- User can see this as a <code>StackOverflowError</code> when
adding a property in
<code>AbstractListDelimiterHandler.flattenIterator()</code>.
+ Users can see this as a <code>StackOverflowError</code> when
adding a property in
<code>AbstractListDelimiterHandler.flattenIterator()</code>.
Users are recommended to upgrade to version 2.10.1, which
fixes the issue.
The details are in <a
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-840</a>.
</p>
@@ -129,7 +132,7 @@
</p>
<p>
This Out-of-bounds Write vulnerability in Apache Commons
Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
- User can see this as a <code>StackOverflowError</code>
calling <code>ListDelimiterHandler.flatten(Object, int)</code> with a cyclical
object tree.
+ Users can see this as a <code>StackOverflowError</code>
calling <code>ListDelimiterHandler.flatten(Object, int)</code> with a cyclical
object tree.
Users are recommended to upgrade to version 2.10.1, which
fixes the issue.
The details are in <a
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-841</a>.
</p>
