[
https://issues.apache.org/jira/browse/SLING-8369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16823340#comment-16823340
]
Philipp Ottlinger commented on SLING-8369:
------------------------------------------
Mail via ASF:
{code:java}
Hi Apache Security Team,
This email is to responsibly disclose a security vulnerability in
several of the projects under the Apache organization.
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check
Impact Locations
I've been doing a cursory sweep of popular Github Gradle and Maven
based projects and I've been seeing this vulnerability in a lot of
places.
Kafka:
https://github.com/apache/kafka/blob/3cdc78e6bb1f83973a14ce1550fe3874f7348b05/gradle/buildscript.gradle#L20
Geode:
https://github.com/apache/geode/blob/964b6f40d038d15038331bc34b9f135e078d68f1/build.gradle#L20
https://github.com/apache/geode/blob/964b6f40d038d15038331bc34b9f135e078d68f1/build.gradle#L23
https://github.com/apache/geode/blob/964b6f40d038d15038331bc34b9f135e078d68f1/build.gradle#L61
Storm:
https://github.com/apache/storm/blob/8a475696e908c53f1c06bf1a8f373d8ac0483427/external/storm-mqtt/pom.xml#L32-L43
https://github.com/apache/storm/blob/8a475696e908c53f1c06bf1a8f373d8ac0483427/external/storm-hdfs/pom.xml#L38-L43
https://github.com/apache/storm/blob/604ecf7fc87ec25b3a2ac1269bc0bd0b4eea0a82/pom.xml#L1090-L1099
Storm (PRODUCTION SOURCE):
https://github.com/apache/storm/blob/21bb1388414d373572779289edc785c7e5aa52aa/storm-submit-tools/src/main/java/org/apache/storm/submit/dependency/Booter.java#L50
Bigtop:
https://github.com/apache/bigtop/blob/2c3490cc3a1c564354cfeb35601452beb7e41eba/bigtop-bigpetstore/bigpetstore-transaction-queue/build.gradle#L45-L47
https://github.com/apache/bigtop/blob/2c3490cc3a1c564354cfeb35601452beb7e41eba/bigtop-tests/smoke-tests/odpi-runtime/build.gradle#L22-L26
Airavata:
https://github.com/apache/airavata/blob/eb07965fbe9028e21c40bb0ed0f331603762c781/modules/user-profile-migration/pom.xml#L24-L34
https://github.com/apache/airavata/blob/eb07965fbe9028e21c40bb0ed0f331603762c781/pom.xml#L538-L573
Buildr:
https://github.com/apache/buildr/blob/6f357ea1b19576ccaab9259638af7dd9b2e3b43d/tests/generateFromPom/pom.xml#L275-L286
https://github.com/apache/buildr/blob/6f357ea1b19576ccaab9259638af7dd9b2e3b43d/tests/generateFromPom/pom.xml#L288-L348
Drat:
https://github.com/apache/drat/blob/b9b71db12001526d507bbc9d748e882d6b81bc2e/pom.xml#L19-L34
Tomee (Examples):
https://github.com/apache/tomee/search?l=Maven+POM&p=1&q=%3Curl%3Ehttp%3A%2F%2F
I'm almost completely certain I haven't found all of the instances of
this vulnerability in Apache Projects. I'd reccomend that the Apache
Security team reach out to all of it's project maintainers using Maven
or Gradle and request that they check their software for this
vulnerability.
Exploitability
This isn't just a theoretical attack vector; POC code exists already
to maliciously compromise jar file inflight as part of a MITM attack
https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
https://github.com/mveytsman/dilettante
Additionally, MITM attacks aren't rare either:
https://serverfault.com/a/153065
https://security.stackexchange.com/a/12050
ISPs like Comcast have a history of using their MITM position to
inject Javascript into webpages loaded over HTTP (2017):
https://thenextweb.com/insights/2017/12/11/comcast-continues-to-inject-its-own-code-into-websites-you-visit/
{code}
> Download plugins via https only
> -------------------------------
>
> Key: SLING-8369
> URL: https://issues.apache.org/jira/browse/SLING-8369
> Project: Sling
> Issue Type: Improvement
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: Parent 36
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
