== Environment
A security issue has been discovered in Apache Cayenne ROP. Remote
Object Persistence (ROP) is an optional component in Cayenne which is a
Java client library used to execute Cayenne operations (query, insert,
update, etc) and access the object data map in the client environment.
ROP has two options for serialising data between client and server:
Hessian and protobuf. It is the older Hessian which is the subject of
today's security announcement.
== Vulnerability
In Apache Cayenne 4.1 and earlier, running on non-current patch versions
of Java, an attacker with client access to Cayenne ROP can transmit a
malicious payload to any vulnerable third-party dependency on the
server. This can result in arbitrary code execution.
== Workaround
Do one of the following:
* upgrade to Apache Cayenne 4.2
* upgrade to a patched version of Java (after 6u211, 7u201, 8u191, and
11.0.1)
* use protobuf instead of hessian serialisation
All versions of Apache Cayenne 4.2 have whitelisting enabled by default
for the Hessian deserialization. Later versions of Java also have LDAP
mitigation in place. Users can either upgrade Java or Apache Cayenne to
avoid the issue.
LDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and
11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property
is set to false by default to prevent JNDI from loading remote code
through LDAP.
A patched version of Cayenne 4.1 (or earlier) will not be released since
we believe there are sufficient ways to avoid the issue and the number
of people using ROP is likely quite low. Given the security model of
ROP, it is also most likely used in a scenario where the client is trusted.
Our thanks to Panda for discovering and responsibly reporting the issue.
Ari Maniatis
on behalf of the Cayenne PMC
