Author: taylor
Date: Thu Mar 3 20:54:49 2016
New Revision: 1733520
URL: http://svn.apache.org/viewvc?rev=1733520&view=rev
Log:
adding Security Reports to site. Updating Roadmap
Added:
portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml
- copied, changed from r1693286,
portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml
Modified:
portals/site/jetspeed/jetspeed-2.3/src/site/site.xml
portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml
Modified: portals/site/jetspeed/jetspeed-2.3/src/site/site.xml
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.3/src/site/site.xml?rev=1733520&r1=1733519&r2=1733520&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.3/src/site/site.xml (original)
+++ portals/site/jetspeed/jetspeed-2.3/src/site/site.xml Thu Mar 3 20:54:49
2016
@@ -44,6 +44,7 @@
<item name="Getting Started" href="getting-started.html" />
<!--<item name="Online Demos" href="demo.html"/>-->
<item name="Roadmap" href="roadmap.html" />
+ <item name="Security Reports" href="security-reports.html" />
</menu>
<menu name="Get Jetspeed">
Modified: portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml?rev=1733520&r1=1733519&r2=1733520&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml (original)
+++ portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml Thu Mar 3
20:54:49 2016
@@ -17,55 +17,60 @@
-->
<document>
<properties>
- <title>Jetspeed Roadmap</title>
- <subtitle>Roadmap</subtitle>
- <authors>
- <person name="David Sean Taylor" email="[email protected]" />
- </authors>
+ <title>Jetspeed Roadmap</title>
+ <subtitle>Roadmap</subtitle>
+ <authors>
+ <person name="David Sean Taylor" email="[email protected]"/>
+ </authors>
</properties>
<body>
- <section name="Upcoming Releases Timeline">
+ <section name="Upcoming Releases Timeline">
<ul>
- <li>2.3.0 - July 2015</li>
- <li>2.3.1 - January 2016</li>
+ <li>2.3.1 - February 2016</li>
</ul>
</section>
- <section name="2.3.0 Release">
- <p>The theme of this release is to get back on track with the latest
versions of Java, Servlet Containers, Maven</p>
- <ul>
- <li>Java 1.7 Support(JS2-1292)</li>
- <li>Jetspeed API + Generics (JS2-874)</li>
- <li>Tomcat7 and Servlet 3.0 (JS2-1274)</li>
- <li>Upgrade Dependencies, Spring (JS2-1290)</li>
- <li>New Responsive Decorators (JS2-1314)</li>
- <li>New Responsive Layout (JS2-1315)</li>
- <li>J2-Admin Angular Portlet Framework (JS2-1316)</li>
- <li>J2-Admin Core Portlets Responsive (JS2-1317)</li>
- <li>J2-Admin Chart Portlets (JS2-1320)</li>
- <li>New User Manager (JS2-1293)</li>
- <li>Preferences Performance Improvements (JS2-1325)</li>
- <li>Security Performance Improvements (JS2-1324)</li>
- <li>Upgraded Portals APA and Bridges Dependencies</li>
- </ul>
- </section>
- <section name ="2.3.1 Release">
- <p>The theme of this release is to continue to improve the user
interface experience</p>
- <ul>
- <li>Continue Admin Portlets Upgrades (JS2-1282)</li>
- <li>Customization Improvements (JS2-1084)</li>
- <li>Deprecate old Decorators, Layouts. Make Responsive Default
Layouts and Decorators</li>
- <li>Security Domains (JS2-1233)</li>
- <li>Maven Improvements (JS2-1291)</li>
- </ul>
+ <section name="2.3.1 Release">
+ <p>The theme of this release is to continue to improve the user
interface experience</p>
+ <ul>
+ <li><a href="security-reports.html">Apache Security CVE Fixes
to 2.3.0</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/JS2-1348";>Search Feature
(JS2-1348)</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/JS2-1341";>Detached Portlets
(JS2-1341)</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/JS2-1342";>Update Archetype and
Tutorial (JS2-1342)</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/JS2-1349";>User Admin, Filter by
Groups (JS2-1349)</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/JS2-1346";>User Admin, Edit Email
field (JS2-1346)</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/JS2-1345";>Improve CSS in Site
Manager and Constraints Admin (JS2-1345)</a></li>
+ <li><a
href="https://issues.apache.org/jira/browse/JS2-1340";>Improvements to Standard
Portlet Decorators (JS2-1340)</a></li>
+
+<!--
+ <li>Content (JS2-)</li>
+ <li>Web Sockets (JS2-)</li>
+ <li>Backend Services</li>
+ <li>Continue Admin Portlets Upgrades (JS2-1282)</li>
+ <li>Customization Improvements (JS2-1084)</li>
+ <li>Security Domains (JS2-1233)</li>
+ <li>Maven Improvements (JS2-1291)</li>
+ <li>Jetspeed Service Annotations</li>
+ -->
+ </ul>
</section>
- <section name="Last Release">
- <p><a
href='http://portals.apache.org/jetspeed-2/features.html'>2.2.2</a>- released
October 2011</p>
+
+ <section name="Last Release 2.3.0">
+ <p>2.3.0 - released October 2011</p>
<ul>
- <li>Portlet Cloning</li>
- <li>Apache Solr based Search Engine</li>
- <li>Bulk Migration of DBPSML from 2.1.x to 2.2.x</li>
- <li>Admin Security and Portlet Level Security Improvements</li>
+ <li>Java 1.7 Support(JS2-1292)</li>
+ <li>Jetspeed API + Generics (JS2-874)</li>
+ <li>Tomcat7 and Servlet 3.0 (JS2-1274)</li>
+ <li>Upgrade Dependencies, Spring (JS2-1290)</li>
+ <li>New Responsive Decorators (JS2-1314)</li>
+ <li>New Responsive Layout (JS2-1315)</li>
+ <li>J2-Admin Angular Portlet Framework (JS2-1316)</li>
+ <li>J2-Admin Core Portlets Responsive (JS2-1317)</li>
+ <li>J2-Admin Chart Portlets (JS2-1320)</li>
+ <li>New User Manager (JS2-1293)</li>
+ <li>Preferences Performance Improvements (JS2-1325)</li>
+ <li>Security Performance Improvements (JS2-1324)</li>
+ <li>Upgraded Portals APA and Bridges Dependencies</li>
</ul>
</section>
Copied: portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml
(from r1693286, portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml)
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml?p2=portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml&p1=portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml&r1=1693286&r2=1733520&rev=1733520&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml (original)
+++ portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml Thu
Mar 3 20:54:49 2016
@@ -17,56 +17,139 @@
-->
<document>
<properties>
- <title>Jetspeed Roadmap</title>
- <subtitle>Roadmap</subtitle>
- <authors>
- <person name="David Sean Taylor" email="[email protected]" />
- </authors>
+ <title>Jetspeed Security Reports</title>
+ <subtitle>Common Vulnerabilities and Exposures (CVE) Reports</subtitle>
+ <authors>
+ <person name="David Sean Taylor" email="[email protected]"/>
+ </authors>
</properties>
<body>
- <section name="Upcoming Releases Timeline">
- <ul>
- <li>2.3.0 - July 2015</li>
- <li>2.3.1 - January 2016</li>
- </ul>
- </section>
- <section name="2.3.0 Release">
- <p>The theme of this release is to get back on track with the latest
versions of Java, Servlet Containers, Maven</p>
- <ul>
- <li>Java 1.7 Support(JS2-1292)</li>
- <li>Jetspeed API + Generics (JS2-874)</li>
- <li>Tomcat7 and Servlet 3.0 (JS2-1274)</li>
- <li>Upgrade Dependencies, Spring (JS2-1290)</li>
- <li>New Responsive Decorators (JS2-1314)</li>
- <li>New Responsive Layout (JS2-1315)</li>
- <li>J2-Admin Angular Portlet Framework (JS2-1316)</li>
- <li>J2-Admin Core Portlets Responsive (JS2-1317)</li>
- <li>J2-Admin Chart Portlets (JS2-1320)</li>
- <li>New User Manager (JS2-1293)</li>
- <li>Preferences Performance Improvements (JS2-1325)</li>
- <li>Security Performance Improvements (JS2-1324)</li>
- <li>Upgraded Portals APA and Bridges Dependencies</li>
- </ul>
- </section>
-
- <section name ="2.3.1 Release">
- <p>The theme of this release is to continue to improve the user
interface experience</p>
+ <section name="CVE Reports">
<ul>
- <li>Continue Admin Portlets Upgrades (JS2-1282)</li>
- <li>Customization Improvements (JS2-1084)</li>
- <li>Deprecate old Decorators, Layouts. Make Responsive Default
Layouts and Decorators</li>
- <li>Security Domains (JS2-1233)</li>
- <li>Maven Improvements (JS2-1291)</li>
+ <li><a href='#CVE-2016-0709'>CVE-2016-0709: Code execution via ZIP
file path traversal</a></li>
+ <li><a href='#CVE-2016-0710'>CVE-2016-0710: SQL injection in User
Manager service</a></li>
+ <li><a href='#CVE-2016-0711'>CVE-2016-0711: Persistent Cross Site
Scripting in links, pages and folders</a></li>
+ <li><a href='#CVE-2016-0712'>CVE-2016-0712: Reflected Cross Site
Scripting in URI path</a></li>
</ul>
</section>
- <section name="Last Release">
- <p><a
href='http://portals.apache.org/jetspeed-2/features.html'>2.2.2</a>- released
October 2011</p>
- <ul>
- <li>Portlet Cloning</li>
- <li>Apache Solr based Search Engine</li>
- <li>Bulk Migration of DBPSML from 2.1.x to 2.2.x</li>
- <li>Admin Security and Portlet Level Security Improvements</li>
- </ul>
+ <section name="2.3.1 Release CVE Reports">
+ <a name="CVE-2016-0709"/>
+ <subsection name="CVE-2016-0709: Code execution via ZIP file path
traversal">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software
Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed 2.2.0 to
2.2.2</td></tr>
+ <tr><td></td><td>Jetspeed 2.3.0</td></tr>
+ <tr><td>The unsupported Jetspeed 2.1.x versions may be also
affected</td></tr>
+ <tr><td>Mitigation:</td><td>2.2.0 - 2.3.0 users should upgrade
to 2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by
Andreas Lindh</td></tr>
+
<tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>The Import/Export function in the Portal Site Manager, part
of the Jetspeed Administrative Portlets, is vulnerable to a path traversal via
specially crafted file names in ZIP archives. Any user with permission to
upload files via this function can upload a file with a name like
"../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This
is because the code that performs the unzipping of the archive does not check
the validity of the file names before writing them to disk. This can be turned
into code execution by uploading a .jsp file and writing it to somewhere on the
file system where the web server will execute it when visited
+ </p>
+ </subsection>
+ <a name="CVE-2016-0710"/>
+ <subsection name="#CVE-2016-0710: SQL injection in User Manager
service">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software
Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed
2.3.0</td></tr>
+ <tr><td>Mitigation:</td><td>2.3.0 users should upgrade to
2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by
Andreas Lindh</td></tr>
+
<tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>The Jetspeed User Manager service, part of the Jetspeed
Administrative Portlets, is vulnerable to SQL injection. When performing a
search in these tools, the 'user' and 'role' parameters of the request can be
injected to alter the logic of the subsequent SQL statement.
+ </p>
+ <p>There is also an authorization flaw at play here since the
above URLs can be reached without being authenticated in Jetspeed.</p>
+ <h4>Example</h4>
+ <p>
+ Given this URL:<br/>
+
<source><![CDATA[http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=json&results=10&start=0&sort=userName&dir=asc&name=&roles=foo%27%20]]></source>
+ The 'role' parameter contains the value "foo" which is not
an existing role, but because of the injected SQL code (or '1'='1') the
statement returns true anyway and all the existing users are shown.
+ </p>
+ </subsection>
+ <a name="CVE-2016-0711"/>
+ <subsection name="CVE-2016-0711: Persistent Cross Site Scripting
in links, pages and folders">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software
Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed 2.2.0 to
2.2.2</td></tr>
+ <tr><td></td><td>Jetspeed 2.3.0</td></tr>
+ <tr><td>The unsupported Jetspeed 2.1.x versions may be
also affected</td></tr>
+ <tr><td>Mitigation:</td><td>2.2.0 - 2.3.0 users should
upgrade to 2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by
Andreas Lindh</td></tr>
+
<tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>The functionality to add a link, page, or folder, is
vulnerable to persistent Cross Site Scripting. This is because it is possible
to include HTML tags in the object's name, such as is the example below where a
page object is being renamed after creation.
+ </p>
+ <h4>Example</h4>
+ <p>
+ Given this AJAX request:<br/>
+ <source><![CDATA[
+POST /jetspeed/services/pagemanagement/info/.psml/_user/andreas/foobar.psml?
+_type=json HTTP/1.1
+Host: 192.168.2.4:8080
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101
+Firefox/43.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Referer: http://192.168.2.4:8080/jetspeed/ui/_user/andreas/foobar.psml
+Content-Length: 60
+Cookie: JSESSIONID=F95E2034A086BE172EF816FF2C853BE9;
+JS2TOOLBOX=TAB=theme&CAT=Administration
+Connection: close
+title=foobar</a></li><script>alert(document.domain)</script>
+ ]]></source>
+ </p>
+ <p>Which results in the following content in the server
response:<br/>
+ <source><![CDATA[
+<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
+<title>foobar</a></li><script>alert(document.domain)</script></title>
+ ]]></source>
+ <p>Note that this code will be executed every time someone visits
that space.</p>
+ </p>
+ </subsection>
+ <a name="CVE-2016-0712"/>
+ <subsection name="CVE-2016-0712: Reflected Cross Site Scripting in
URI path">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software
Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed 2.2.0 to
2.2.2</td></tr>
+ <tr><td></td><td>Jetspeed 2.3.0</td></tr>
+ <tr><td>The unsupported Jetspeed 2.1.x versions may be also
affected</td></tr>
+ <tr><td>Mitigation:</td><td>2.2.0 - 2.3.0 users should upgrade
to 2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by
Andreas Lindh</td></tr>
+
<tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>
+ The URI path directory after /portal is vulnerable to
reflected Cross Site Scripting. By visiting the following URL, a JavaScript
pop-up will appear when the mouse is moved over the minimize/maximize buttons
(may differ for different UI versions).
+ Note this issue is only reproduced on Firefox browser.
+ </p>
+ <h4>Example</h4>
+ <p>
+ Given this URL:<br/>
+ <source><![CDATA[
+http://192.168.2.9:8080/jetspeed/portal/foo%22onmouseover%3d%22alert%281%29?URL=foo/bar
+ ]]></source>
+ </p>
+ <p>In the HTML response there is script:<br/>
+ <source><![CDATA[
+<a
href="http://192.168.2.4:8080/jetspeed/portal/_ns:..._/foo"onmouseover="alert(1)"
+title="Minimize" class="action portlet-action" ><img
src="/jetspeed/decorations/images/minimized.gif" alt="Minimize" border="0"/></a>
+ ]]></source>
+ </p>
+ </subsection>
</section>
</body>
