[jira] [Commented] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)
[ https://issues.apache.org/jira/browse/CASSANDRA-15423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16974783#comment-16974783 ] Abhishek Singh commented on CASSANDRA-15423: Thanks Dinesh. I took a note of it. > CVE-2015-2156 (Netty is vulnerable to Information Disclosure) > -- > > Key: CASSANDRA-15423 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15423 > Project: Cassandra > Issue Type: Bug >Reporter: Abhishek Singh >Priority: Normal > > *Description :**Description :* *Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS > 3.0: 7.5 > > *Weakness :* CVE CWE: 20 > > *Source :* National Vulnerability Database > > *Categories :* Data > *Description from CVE :* Netty before 3.9.8.Final, 3.10.x before > 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and > Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the > httpOnly flag on cookies and obtain sensitive information by leveraging > improper validation of cookie name and value characters. > > *Explanation :* Netty is vulnerable to Information Disclosure.Multiple > methods in multiple files improperly validate cookie names and values. This > allows the presence of single-quote and double-quote characters to break > tokenization.A remote attacker can exploit this vulnerability by inducing a > victim to send a crafted request containing quote characters in any parameter > value that sets a cookie.If that tainted cookie gets reflected in the > response, the attacker can then use Cross-Site Scripting (XSS) to potentially > retrieve the entire cookie header, despite the presence of an HttpOnly flag. > The Sonatype security research team discovered that the vulnerability is > present in all versions prior to 3.9.7.Final and 3.10.x before 3.10.2.Final, > and not in all the versions before 3.9.8.Final and 3.10.x before 3.10.3.Final > as the advisory states. > *Detection :* The application is vulnerable by using this component if it > reflects any cookie information in a HTML page, and that page is also prone > to Cross-Site Scripting (XSS) attacks. > *Recommendation :* We recommend upgrading to a version of this component > that is not vulnerable to this specific issue. > *Root Cause :* Cassandra-2.2.5.nupkgCookieDecoder.class : [5.0.0.Alpha1, > 5.0.0.Alpha2) > > *Advisories :* Project: > https://engineering.linkedin.com/security/look-netty_s-recen... > > *CVSS Details :* CVE CVSS 3.0: 7.5 > *Occurences (Paths) :* [" apache-cassandra.zip/bin/cassandra.in.bat" ; " > apache-cassandra.zip/bin/cassandra.in.sh" ; " > apache-cassandra.zip/bin/cqlsh.bat" ; " > apache-cassandra.zip/bin/debug-cql.bat" ; " > apache-cassandra.zip/bin/source-conf.ps1" ; " > apache-cassandra.zip/bin/sstableloader.bat" ; " > apache-cassandra.zip/bin/sstablescrub.bat" ; " > apache-cassandra.zip/bin/sstableupgrade.bat" ; " > apache-cassandra.zip/bin/sstableverify.bat" ; " > apache-cassandra.zip/bin/stop-server" ; " > apache-cassandra.zip/bin/stop-server.bat" ; " > apache-cassandra.zip/bin/stop-server.ps1" ; " > apache-cassandra.zip/conf/README.txt" ; " > apache-cassandra.zip/conf/cassandra-rackdc.properties" ; " > apache-cassandra.zip/conf/cassandra-topology.properties" ; " > apache-cassandra.zip/conf/commitlog_archiving.properties" ; " > apache-cassandra.zip/conf/triggers/README.txt" ; " > apache-cassandra.zip/lib/ST4-4.0.8.jar" ; " > apache-cassandra.zip/lib/airline-0.6.jar" ; " > apache-cassandra.zip/lib/antlr-runtime-3.5.2.jar" ; " > apache-cassandra.zip/lib/commons-cli-1.1.jar" ; " > apache-cassandra.zip/lib/commons-lang3-3.1.jar" ; " > apache-cassandra.zip/lib/commons-math3-3.2.jar" ; " > apache-cassandra.zip/lib/compress-lzf-0.8.4.jar" ; " > apache-cassandra.zip/lib/concurrentlinkedhashmap-lru-1.4.jar" ; " > apache-cassandra.zip/lib/disruptor-3.0.1.jar" ; " > apache-cassandra.zip/lib/ecj-4.4.2.jar" ; " > apache-cassandra.zip/lib/futures-2.1.6-py2.py3-none-any.zip" ; " > apache-cassandra.zip/lib/high-scale-lib-1.0.6.jar" ; " > apache-cassandra.zip/lib/jamm-0.3.0.jar" ; " > apache-cassandra.zip/lib/javax.inject.jar" ; " > apache-cassandra.zip/lib/jbcrypt-0.3m.jar" ; " > apache-cassandra.zip/lib/jcl-over-slf4j-1.7.7.jar" ; " > apache-cassandra.zip/lib/joda-time-2.4.jar" ; " > apache-cassandra.zip/lib/json-simple-1.1.jar" ; " > apache-cassandra.zip/lib/libthrift-0.9.2.jar" ; " > apache-cassandra.zip/lib/licenses/ST4-4.0.8.txt" ; " > apache-cassandra.zip/lib/licenses/antlr-runtime-3.5.2.txt" ; " > apache-cassandra.zip/lib/licenses/compress-lzf-0.8.4.txt" ; " > apache-cassandra.zip/lib/licenses/concurrent-trees-2.4.0.txt" ; " > apache-cassandra.zip/lib/licenses/ecj-4.4.2.txt" ; " > apache-cassandra.zip/lib/licenses/futures-2.1.6.txt" ; " >
[jira] [Commented] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)
[ https://issues.apache.org/jira/browse/CASSANDRA-15423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16974631#comment-16974631 ] Dinesh Joshi commented on CASSANDRA-15423: -- Thanks for reporting this. While the version of Netty is vulnerable, I don't think Cassandra uses Netty's HTTP classes at all so its unlikely we're vulnerable to the said attack. > CVE-2015-2156 (Netty is vulnerable to Information Disclosure) > -- > > Key: CASSANDRA-15423 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15423 > Project: Cassandra > Issue Type: Bug >Reporter: Abhishek Singh >Priority: Normal > > *Description :**Description :* *Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS > 3.0: 7.5 > > *Weakness :* CVE CWE: 20 > > *Source :* National Vulnerability Database > > *Categories :* Data > *Description from CVE :* Netty before 3.9.8.Final, 3.10.x before > 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and > Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the > httpOnly flag on cookies and obtain sensitive information by leveraging > improper validation of cookie name and value characters. > > *Explanation :* Netty is vulnerable to Information Disclosure.Multiple > methods in multiple files improperly validate cookie names and values. This > allows the presence of single-quote and double-quote characters to break > tokenization.A remote attacker can exploit this vulnerability by inducing a > victim to send a crafted request containing quote characters in any parameter > value that sets a cookie.If that tainted cookie gets reflected in the > response, the attacker can then use Cross-Site Scripting (XSS) to potentially > retrieve the entire cookie header, despite the presence of an HttpOnly flag. > The Sonatype security research team discovered that the vulnerability is > present in all versions prior to 3.9.7.Final and 3.10.x before 3.10.2.Final, > and not in all the versions before 3.9.8.Final and 3.10.x before 3.10.3.Final > as the advisory states. > *Detection :* The application is vulnerable by using this component if it > reflects any cookie information in a HTML page, and that page is also prone > to Cross-Site Scripting (XSS) attacks. > *Recommendation :* We recommend upgrading to a version of this component > that is not vulnerable to this specific issue. > *Root Cause :* Cassandra-2.2.5.nupkgCookieDecoder.class : [5.0.0.Alpha1, > 5.0.0.Alpha2) > > *Advisories :* Project: > https://engineering.linkedin.com/security/look-netty_s-recen... > > *CVSS Details :* CVE CVSS 3.0: 7.5 > *Occurences (Paths) :* [" apache-cassandra.zip/bin/cassandra.in.bat" ; " > apache-cassandra.zip/bin/cassandra.in.sh" ; " > apache-cassandra.zip/bin/cqlsh.bat" ; " > apache-cassandra.zip/bin/debug-cql.bat" ; " > apache-cassandra.zip/bin/source-conf.ps1" ; " > apache-cassandra.zip/bin/sstableloader.bat" ; " > apache-cassandra.zip/bin/sstablescrub.bat" ; " > apache-cassandra.zip/bin/sstableupgrade.bat" ; " > apache-cassandra.zip/bin/sstableverify.bat" ; " > apache-cassandra.zip/bin/stop-server" ; " > apache-cassandra.zip/bin/stop-server.bat" ; " > apache-cassandra.zip/bin/stop-server.ps1" ; " > apache-cassandra.zip/conf/README.txt" ; " > apache-cassandra.zip/conf/cassandra-rackdc.properties" ; " > apache-cassandra.zip/conf/cassandra-topology.properties" ; " > apache-cassandra.zip/conf/commitlog_archiving.properties" ; " > apache-cassandra.zip/conf/triggers/README.txt" ; " > apache-cassandra.zip/lib/ST4-4.0.8.jar" ; " > apache-cassandra.zip/lib/airline-0.6.jar" ; " > apache-cassandra.zip/lib/antlr-runtime-3.5.2.jar" ; " > apache-cassandra.zip/lib/commons-cli-1.1.jar" ; " > apache-cassandra.zip/lib/commons-lang3-3.1.jar" ; " > apache-cassandra.zip/lib/commons-math3-3.2.jar" ; " > apache-cassandra.zip/lib/compress-lzf-0.8.4.jar" ; " > apache-cassandra.zip/lib/concurrentlinkedhashmap-lru-1.4.jar" ; " > apache-cassandra.zip/lib/disruptor-3.0.1.jar" ; " > apache-cassandra.zip/lib/ecj-4.4.2.jar" ; " > apache-cassandra.zip/lib/futures-2.1.6-py2.py3-none-any.zip" ; " > apache-cassandra.zip/lib/high-scale-lib-1.0.6.jar" ; " > apache-cassandra.zip/lib/jamm-0.3.0.jar" ; " > apache-cassandra.zip/lib/javax.inject.jar" ; " > apache-cassandra.zip/lib/jbcrypt-0.3m.jar" ; " > apache-cassandra.zip/lib/jcl-over-slf4j-1.7.7.jar" ; " > apache-cassandra.zip/lib/joda-time-2.4.jar" ; " > apache-cassandra.zip/lib/json-simple-1.1.jar" ; " > apache-cassandra.zip/lib/libthrift-0.9.2.jar" ; " > apache-cassandra.zip/lib/licenses/ST4-4.0.8.txt" ; " > apache-cassandra.zip/lib/licenses/antlr-runtime-3.5.2.txt" ; " > apache-cassandra.zip/lib/licenses/compress-lzf-0.8.4.txt" ; " >