+1 LieGrue, strub
----- Original Message ----- > From: Romain Manni-Bucau <[email protected]> > To: [email protected] > Cc: > Sent: Wednesday, 12 June 2013, 23:15 > Subject: Re: [CVE-2013-1768] Apache OpenJPA security vulnerability > > Hi > > TomEE trunk relies on openjpa snapshot > > With such an issue wonder of an early release (maybe a beta?) > > Wdyt? > Le 12 juin 2013 21:33, "Jeremy Bauer" <[email protected]> a > écrit : > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> CVE-2013-1768: Apache OpenJPA security vulnerability >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> >> OpenJPA 1.0.0 to 1.0.4 >> OpenJPA 1.1.0 >> OpenJPA 1.3.0 >> OpenJPA 1.2.0 to 1.2.2 >> OpenJPA 2.0.0 to 2.0.1 >> OpenJPA 2.1.0 to 2.1.1 >> OpenJPA 2.2.0 to 2.2.1 >> >> Description: Deserialization of a maliciously crafted OpenJPA object can >> result in an executable file being written to the file system. An >> attacker needs to discover an unprotected server program to exploit the >> vulnerability. It then needs to exploit another unprotected server >> program to execute the file and gain access to the system. OpenJPA >> usage by itself does not introduce the vulnerability. >> >> Mitigation: Users of OpenJPA using a release based upon the JPA 1.0 >> specification level should upgrade to the OpenJPA 1.2.3 release. Users >> of OpenJPA using a release based upon the JPA 2.0 specification level >> should upgrade to the OpenJPA 2.2.2 release. Users needing to stay on >> their current release should get the latest code from svn for the >> corresponding branch level or apply a source patch and build a new >> binary package. Nightly snapshots of the latest source builds are also >> available for many branches. >> >> OpenJPA release branch levels and corresponding fix revisions: >> >> OpenJPA 1.0.x revision 1462558: >> http://svn.apache.org/viewvc?view=revision&revision=1462558 >> OpenJPA 1.1.x revision 1462512: >> http://svn.apache.org/viewvc?view=revision&revision=1462512 >> OpenJPA 1.2.x revision 1462488: >> http://svn.apache.org/viewvc?view=revision&revision=1462488 >> OpenJPA 1.3.x revision 1462328: >> http://svn.apache.org/viewvc?view=revision&revision=1462328 >> OpenJPA 2.0.x revision 1462318: >> http://svn.apache.org/viewvc?view=revision&revision=1462318 >> OpenJPA 2.1.x revision 1462268: >> http://svn.apache.org/viewvc?view=revision&revision=1462268 >> OpenJPA 2.2.1.x revision 1462225: >> http://svn.apache.org/viewvc?view=revision&revision=1462225 >> OpenJPA 2.2.x revision 1462076: >> http://svn.apache.org/viewvc?view=revision&revision=1462076 >> >> Example: An attacker creates a customized serialization of an OpenJPA >> object. The attacker exploits an unprotected server program to execute >> the object. The object includes logic that results in malicious trace >> being written to a file, such as a JSP. The file containing malicious >> commands is written to a potentially vulnerable area of the system. The >> attacker exploits a second unprotected server program to execute the >> file and gain access to the system. >> >> Credit: This issue was discovered by Pierre Ernst of IBM Corporation. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.20 (MingW32) >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3 >> bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5 >> Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z >> 3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al >> M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ >> 1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1 >> tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU >> OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY >> rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG >> IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K >> DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV >> 7iGIxMiN7yJ14RZoDsKw >> =LVgy >> -----END PGP SIGNATURE----- >> >> >
