[
https://issues.apache.org/jira/browse/VELTOOLS-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov closed VELTOOLS-170.
-----------------------------------
> Upgrade beanutils to 1.9.3 & supress access to class and Class
> --------------------------------------------------------------
>
> Key: VELTOOLS-170
> URL: https://issues.apache.org/jira/browse/VELTOOLS-170
> Project: Velocity Tools
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.0
> Reporter: Mark Symons
> Assignee: Claude Brisson
> Priority: Critical
> Fix For: 3.0
>
>
> Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and
> mitigate CVE-2014-0114. See BEANUTILS-463 for fix info.
> Velocity Tools v2.0 currently uses bean-utils v1.7.0
> Whilst the CVE text references beanutils v1.8.0, Black Duck Hub threat
> analysis have updated affected versions to include 1.7.0.
> {quote}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
> in Apache Struts 1.x through 1.3.10 and in other products requiring
> commons-beanutils through 1.9.2, does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
> code via the class parameter, as demonstrated by the passing of this
> parameter to the getClass method of the ActionForm object in Struts 1.
> {quote}
> h5.CVSS Version 2 Metrics:
> Access Vector: Network exploitable
> Access Complexity: Low
> Authentication: Not required to exploit
> Impact Type:
> * Allows unauthorized disclosure of information
> * Allows unauthorized modification
> * Allows disruption of service
> h3.Edit: 28th November 2016
> Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November
> 2016). From the vulnerability information provided (and highlighting in red
> the bit that applies to Velocity Tools):
> {quote}
> h4.Explanation
> Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can
> lead to Remote Code Execution (RCE). Access to the {{class}} and {{Class}}
> properties is not suppressed, exposing them by default. An attacker can
> construct malicious input using the {{class property}} in order to manipulate
> the {{ClassLoader}} potentially leading to arbitrary code execution.
> h4.Detection
> {color:red}If you are the calling application, you are vulnerable by running
> this component without filtering the property names {{class}} and
> {{Class}}{color}. If this is a transitive dependency, you will want to
> contact the parent project to ensure they have added a mitigating control.
> Note: If you are using the built-in implementation of
> {{SuppressPropertiesBeanIntrospector}} added in version 1.9.2 of
> {{commons-beanutils}} as your mitigation you are still vulnerable. Although
> the built-in implementation specifically suppresses the {{class}} properly,
> it does not also suppress {{Class}}.
> h4.Recommendation
> Although commons-beanutils offers a built-in implementation of
> SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically
> suppresses the “class” properly, it does not also suppress “Class”. Due to
> this insufficient fix which is also not enabled by default, we recommend
> implementing your own custom mitigating control such as the one found here -
> https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
