-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2015-11-11, Fortify Open Review Project wrote:
> The HP Fortify Open Review team has assessed Apache .NET Ant 1.1 for > possible security vulnerabilities and the results of your assessment > is attached. It is HP's policy to make all results public on our > Fortify on Demand website within 60 days from the date of this > notification. Since you sent the report to the public [email protected] mailing list the report would already been disclosed if the list was set up to allow posts by non-subscribers. Please see <http://ant.apache.org/security.html> and <http://www.apache.org/security/> for ways to report security vulnerabilities. It is the experience of the Apache Software Foundation that static analysis tools - including Fortify - generate very large numbers of false positives and very few - if any - valid vulnerability reports when run against code. Therefore, the Apache Software Foundation does not accept any vulnerability reports generated from a static analysis tool unless that vulnerability report is backed up with manual analysis that demonstrates how the claimed vulnerability might be exploited. The vulnerabilities detected by Fortify for the .NET Antlib are false positives. Ant is a tool used to build software projects, given the nature of this tool, using ant typically the following actions can be taken: - file system access, including writing files (as far as permitted to the user running ant) - the execution of executables (as far as permitted to the user running ant) - compilation of new software - execution of software compiled using ant This basically means that using ant it is quite easy to execute arbitrary executables. The string comparison is not used to prevent (or ensure) certain binaries are executed. In case Ant is used as part of a server process, be aware that by accepting build files you are basically prone to a open remote code execution vulnerability. While this may be acceptable for build / continuous integration servers (probably with some kind of accountability) this would normally not be acceptable outside a development enivironment. This implies an attack based on casing errors cannot be considered a security vulnerability in Ant (as an attacker could easily use ant to execute random code, including code to starve the CPU, or even to post all of you files to a newsgroup, building and executing code is core functionality of ant) Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAlZFo88ACgkQohFa4V9ri3I7TwCgzB2b51seYPgawxwaACiDsS3A /FEAn1YRe/Yxtag88SXhEfa9mT4IASH/ =NtpI -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
