[oCERT 2016-001] Jetty path sanitization issues
Description: Jetty is a Java HTTP (Web) server and Servlet container. The Jetty path normalization mechanism suffers of an implementation issue when parsing the request URLs. The path normalization logic implemented in the PathResource class and introduced in Jetty versions 9.3.x can be defeated by requesting malicious URLs containing specific escaped characters. Leveraging on this weakness, a malicious user can gain access to protected resources (e.g. WEB-INF and META-INF folders and their contents) and defeat application filters or other security constraints implemented in the servlet configuration. A workaround to mitigate the issue, using the 'rewrite' module, can alternatively be implemented as follows: $ java -jar ../start.jar --module=rewrite etc/backslashalias.xml or $ java -jar ../start.jar --add-to-startd=rewrite $ java -jar ../start.jar etc/backslashalias.xml Workaround file backslashalias.xml contents: http://www.eclipse.org/jetty/configure_9_3.dtd;> .*\\.* / 404 Affected version: Jetty >= 9.3.0, <= 9.3.8 Fixed version: Jetty >= 9.3.9 Credit: vulnerability reported by Simon Zuckerbraun of Trend Micro Zero Day Initiative CVE: CVE-2016-4800 Timeline: 2016-05-03: vulnerability report received 2016-05-06: contacted maintainer 2016-05-11: patch provided by maintainer 2016-05-13: assigned CVE 2016-05-18: reporter confirms patch 2016-05-20: contacted affected vendors 2016-05-30: advisory release References: http://www.eclipse.org/jetty/download.html Permalink: http://www.ocert.org/advisories/ocert-2016-001.html -- Daniele Bianco Open Source Computer Security Incident Response Team <dan...@ocert.org> http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[oCERT 2015-012] Ganeti multiple issues
#2015-012 Ganeti multiple issues Description: Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI). The distributed replicated storage (DRBD) secret is leaked by the RAPI interface when job results are requested. Leveraging on the knowledge of this secret, a malicious user who had already gained access to the storage network of the cluster can retrieve instance data more easily and reliably. The RAPI interface is also vulnerable to a DoS condition, triggered via SSL parameter renegotiation issued by a malicious client. The condition leads to resource exhaustion on the master node. Affected version: Ganeti <=2.9.6, <=2.10.7, <=2.11.7, <=2.12.5, <=2.13.2, <=2.14.1, <=2.15.1 Fixed version: Ganeti >=2.9.7, >=2.10.8, >=2.11.8, >=2.12.6, >=2.13.3, >=2.14.2, >=2.15.2 Credit: vulnerability reported by Pierre Kim . CVE: CVE-2015-7944 (DoS), CVE-2015-7945 (DRBD secret leak) Timeline: 2015-12-21: vulnerability report received 2015-12-24: contacted affected vendors 2015-12-30: advisory release References: http://downloads.ganeti.org/releases Permalink: http://www.ocert.org/advisories/ocert-2015-012.html -- Daniele Bianco Open Source Computer Security Incident Response Team <dan...@ocert.org> http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[oCERT 2015-011] PyAMF input sanitization errors (XXE)
#2015-011 PyAMF input sanitization errors (XXE) Description: PyAMF is a Python module that implements the Action Message Format (AMF) protocol, allowing Flash interoperation with various web frameworks. PyAMF suffers from insufficient AMF input payload sanitization which results in the XML parser not preventing the processing of XML external entities (XXE). A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger Denial of Service (DoS) conditions or arbitrarily return the contents of files that are accessible with the running application privileges. Affected version: PyAMF <= 0.7.2 Fixed version: PyAMF >= 0.8.0 Credit: vulnerability reported by Nicolas Grégoire CVE: CVE-2015-8549 Timeline: 2015-12-01: vulnerability report received 2015-12-02: contacted maintainer 2015-12-04: maintainer commits patch via public pull request 2015-12-12: reporter confirms patch 2015-12-14: contacted affected vendors 2015-12-14: assigned CVE 2015-12-17: advisory release References: https://github.com/hydralabs/pyamf/pull/58 Permalink: http://www.ocert.org/advisories/ocert-2015-011.html -- Daniele Bianco Open Source Computer Security Incident Response Team <dan...@ocert.org> http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[oCERT 2014-008] libFLAC multiple issues
Description: FLAC is an open source lossless audio codec supported by several software and music players. The libFLAC project, an open source library implementing reference encoders and decoders for native FLAC and Ogg FLAC audio content, suffers from multiple implementation issues. In particular, a stack overflow and a heap overflow condition, which may result in arbitrary code execution, can be triggered by passing a maliciously crafted .flac file to the libFLAC decoder. Affected version: libFLAC = 1.3.0 The following packages were identified as affected as they statically include libFLAC in their own packages. Max = 0.9.1 Cog = 0.07 cinelerra = 4.6 JUCE = 3.1.0 (juce_audio_formats module) Fixed version: libFLAC = 1.3.1 Max N/A Cog N/A cinelerra N/A JUCE N/A Credit: vulnerability report from Michele Spagnuolo of Google Security Team mikispag AT google.com CVE: CVE-2014-8962 (stack overflow) CVE-2014-9028 (heap overflow) Timeline: 2014-11-12: heap overflow report received 2014-11-12: contacted maintainer 2014-11-14: patch provided by maintainer 2014-11-17: reporter confirms patch 2014-11-20: stack overflow vulnerability reported 2014-11-21: assigned CVE (heap overflow) 2014-11-22: contacted affected vendors 2014-11-23: contacted additional affected vendors 2014-11-25: advisory release References: https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 Permalink: http://www.ocert.org/advisories/ocert-2014-008.html -- Daniele Bianco Open Source Computer Security Incident Response Team dan...@ocert.org http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[oCERT-2014-005] LPAR2RRD input sanitization errors
#2014-005 LPAR2RRD input sanitization errors Description: LPAR2RRD is a performance monitoring and capacity planning software for IBM Power Systems. LPAR2RRD generates historical, future trends and nearly real-time CPU utilization graphs of LPAR's and shared CPU usage. Insufficient input sanitization on the parameters passed to the application web gui leads to arbitrary command injection on the LPAR2RRD application server. Affected version: LPAR2RRD = 4.53, = 3.5 Fixed version: LPAR2RRD 4.53 Credit: vulnerability report and PoC code received from Jürgen Bilberger juergen.bilberger AT daimler.com. CVE: CVE-2014-4981 (version = 3.5), CVE-2014-4982 (version = 4.53) Timeline: 2014-07-08: vulnerability report received 2014-07-08: contacted LPAR2RRD maintainers 2014-07-20: patch provided by maintainers, assigned CVEs 2010-07-22: contacted affected vendors 2010-07-23: advisory release References: http://www.lpar2rrd.com Permalink: http://www.ocert.org/advisories/ocert-2014-005.html -- Daniele Bianco Open Source Computer Security Incident Response Team dan...@ocert.org http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[oCERT-2013-001] File Roller path sanitization errors
#2013-001 File Roller path sanitization errors Description: The File Roller archive manager for the GNOME desktop suffers from a path traversal vulnerability caused by insufficient path sanitization. A specially crafted archive file can be used to trigger creation of arbitrary files in any location, writable by the user executing the extraction, outside the current working directory. This behaviour is triggered when the option 'Keep directory structure' is selected from the application 'Extract' dialog. The issue is present on File Roller installations which have been compiled with libarchive support, used to handle tar, cpio, lha, 7zip, ar archiving formats and ISO images. The libarchive support is enabled by default. Affected version: File Roller = 3.6.0, = 3.8.0, = 3.9.1 Fixed version: File Roller = 3.6.4, = 3.8.3, = 3.9.3 Credit: vulnerability report received from Yorick Koster yorick.koster AT securify.nl CVE: CVE-2013-4668 Timeline: 2013-05-16: vulnerability report received 2013-05-20: contacted File Roller maintainer 2013-05-27: maintainer provides patch for review 2013-05-28: reporter confirms patch effectiveness 2013-06-11: oCERT confirms patch effectiveness 2013-06-17: File Roller 3.9.3 released 2013-07-02: File Roller 3.6.4, 3.8.3 released 2013-07-04: contacted affected vendors 2013-07-04: assigned CVE 2013-07-08: advisory release References: http://fileroller.sourceforge.net http://git.gnome.org/browse/file-roller https://git.gnome.org/browse/file-roller/commit/?id=b147281293a8307808475e102a14857055f81631 Permalink: http://www.ocert.org/advisories/ocert-2013-001.html -- Daniele Bianco Open Source Computer Security Incident Response Team dan...@ocert.org http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[oCERT-2011-002] libavcodec insufficient boundary check
#2011-002 libavcodec insufficient boundary check Description: The libavcodec library, an open source video encoding/decoding library part of the FFmpeg and Libav projects, performs insufficient boundary check against a buffer index. The missing check can result in arbitrary read/write of data outside a destination buffer boundaries. The vulnerability affects the Chinese AVS video (CAVS) file format decoder, specially crafted CAVS files may lead to arbitrary code execution during decoding. Affected version: FFmpeg = 0.7.2, = 0.8.1 Libav = 0.7.1 The following packages were identified as affected as they statically include libavcodec in their own packages. MPlayer = 1.0_rc4 Fixed version: FFmpeg = 0.7.3, = 0.8.2 Libav, N/A MPlayer, N/A Credit: vulnerability report received from Emmanouel Kellinis. CVE: N/A Timeline: 2011-07-14: vulnerability report received 2011-07-15: contacted ffmpeg maintainers 2011-07-15: ffmpeg maintainer confirms the issue, preliminary patch is provided 2011-07-21: patch approved by reporter 2011-07-23: contacted affected vendors 2011-08-10: advisory release Permalink: http://www.ocert.org/advisories/ocert-2011-002.html -- Daniele Bianco Open Source Computer Security Incident Response Team dan...@ocert.org http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
[oCERT-2010-001] multiple http client unexpected download filename vulnerability
#2010-001 multiple http client unexpected download filename vulnerability Description: The lftp, wget and lwp-download applications are ftp/http clients and file transfer tools supporting various network protocols. The lwp-download script is shipped along with the libwww-perl library. Unsafe behaviours have been found in lftp and lwp-download handling the Content-Disposition header in conjunction with the 'suggested filename' functionality. Additionally, unsafe behaviours have been found in wget and lwp-download in the case of HTTP 3xx redirections during file downloading. The two applications automatically use the URL's filename portion specified in the Location header. Implicitly trusting the suggested filenames results in a saved file that differs from the expected one according to the URL specified by the user. This can be used by an attacker-controlled server to silently write hidden and/or initialization files under the user's current directory (e.g. .login, .bashrc). The impact of this vulnerability is increased in the case of lftp/lftpget as the default configuration allows file to be overwritten without prompting the user for confirmation. In the case of lftp the get1 command is affected. This command can be invoked directly by the user from lftp's command line interface or indirectly by using the lftpget script, packaged within the lftp distribution. Affected version: lftp = 4.0.5 wget = 1.12 libwww-perl = 5.834 Fixed version: lftp = 4.0.6 wget N/A libwww-perl = 5.835 Credit: Vulnerability discovered and reported by Hank Leininger and Solar Designer under the Openwall Project, with further analysis by Daniele Bianco of oCERT. CVE: N/A Timeline: 2009-10-23: vulnerability report received 2010-01-08: further investigations and analysis completed 2010-01-10: contacted wget, libwww-perl and lftp maintainers 2010-01-11: wget didn't acknowledge the report, the issues reported have not been considered relevant from a security perspective by the maintainer 2010-01-21: lftp acknowledged the report, preliminary analysis for the reported issues provided 2010-02-06: wget confirmed the application will not be fixed 2010-02-08: libwww-perl acknowledged the report, preliminary analysis for the reported issues provided 2010-03-25: lftp 4.0.6 released 2010-05-05: libwww-perl-5.836 released 2010-05-10: contacted affected vendors 2010-05-14: failure reported during notification process of vendor-sec list, notification re-sent 2010-05-17: advisory published Permalink: http://www.ocert.org/advisories/ocert-2010-001.html -- Daniele Bianco oCERT | Open Source Computer Emergency Response Team dan...@ocert.org http://www.ocert.org GPG Key 0x4545E02B GPG Key fingerprint = 3706 0361 56B2 61B1 B873 E400 353D 54F4 4545 E02B