Thanks for your response.

In term of security, we’re good, as the template themselves are made by trusted 
sourced (and not in any case uploaded dynamically by users).

My concern is more that I don’t have the right to release any software the does 
not score 100 in Veracode (amongst other security related items) as per my 
organization Secure Software policy. So I might be in a  situation where I’ve 
got a perfectly secure piece of software that I can’t release due to that.

Many thanks and kind regards,

Arnaud



From: Daniel Dekany <daniel.dek...@gmail.com>
Sent: Thursday, March 10, 2022 10:24 AM
To: Demarcq, Arnaud <arnaud.dema...@experian.com>
Cc: FreeMarker developer list <dev@freemarker.apache.org>; EMA Development 
<ema-developm...@experian.com>
Subject: Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib

Actually, FreeMarker does block java.security.ProtectionDomain.getClassLoader 
since 2.3.30, released in 2020-03-05, not just since 2.3.31. So even 2.3.30 is 
safe from this particular CVE. I'm also discussing this with Veracode, and they 
did answer, so we will see if they will update their database.

And yet again, if that CVE was a real problem for you, then you certainly have 
much more problems there: 
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security<https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!3FyeU_gZIPdOQofEe4lVU5aVDbUQ4kTtOhWwCJ--GfFXVnSEcSkVflRtPx0MMem7FyNc1A$>

On Wed, Mar 9, 2022 at 4:16 PM Demarcq, Arnaud 
<arnaud.dema...@experian.com<mailto:arnaud.dema...@experian.com>> wrote:
Hi  @Daniel Dekany<mailto:daniel.dek...@gmail.com>,

Thanks for the confirmation.

Kind regards,

Arnaud

From: Daniel Dekany <daniel.dek...@gmail.com<mailto:daniel.dek...@gmail.com>>
Sent: Wednesday, March 9, 2022 4:13 PM
To: Demarcq, Arnaud 
<arnaud.dema...@experian.com<mailto:arnaud.dema...@experian.com>>
Cc: FreeMarker developer list 
<dev@freemarker.apache.org<mailto:dev@freemarker.apache.org>>; EMA Development 
<ema-developm...@experian.com<mailto:ema-developm...@experian.com>>
Subject: Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib

Yes, if the problem is what they have linked, then you are safe with 2.3.31. 
But, if somebody was affected by this issue, then I strongly advise checking 
out the FAQ item I linked earlier. FreeMarker was NOT designed for scenarios 
where you can have malicious template authors. I'm not even sure what the 
alternatives are, if somebody needs that.

On Wed, Mar 9, 2022 at 11:22 AM Demarcq, Arnaud 
<arnaud.dema...@experian.com<mailto:arnaud.dema...@experian.com>> wrote:
Hi @Daniel Dekany<mailto:daniel.dek...@gmail.com>,

Thanks for your response.

Does that mean that with version 2.3.31, we are safe, and that Veracode 
flagging this version as dangerous is a false positive ?

Also, when is next version planned to be released ? My experience shows that 
Veracode is not very reactive when it comes to un-flagging lib versions.

Many thanks and kind regards,

Arnaud

From: Daniel Dekany <daniel.dek...@gmail.com<mailto:daniel.dek...@gmail.com>>
Sent: Monday, March 7, 2022 9:09 PM
To: FreeMarker developer list 
<dev@freemarker.apache.org<mailto:dev@freemarker.apache.org>>
Cc: EMA Development 
<ema-developm...@experian.com<mailto:ema-developm...@experian.com>>
Subject: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib

External email: Do not click the links. Verify legitimacy before taking action.
Hi,

They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS, and 
a FreeMarker kind-of-vulnerability, which was already addressed in 2.3.31. See 
also: 
https://issues.apache.org/jira/browse/FREEMARKER-205<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FREEMARKER-205__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGOzmPa-Y$>

But most importantly, see this: 
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security<https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGo3ZgSw4$>


On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud 
<arnaud.dema...@experian.com.invalid<mailto:arnaud.dema...@experian.com.invalid>>
 wrote:
Dear 
dev@freemarker.apache.org<mailto:dev@freemarker.apache.org><mailto:dev@freemarker.apache.org<mailto:dev@freemarker.apache.org>>,

We are using freemarker as our main templating engine for the various software 
me and my team are maintaining.

In order to be certain our software is secure and compliant with the latest 
security standards, our code is dynamically tested with Veracode. We're 
currently having the latest version of freemarker flagged as dangerous because 
of this CVE:

CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361<https://urldefense.com/v3/__http:/web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMG-unXDEI$>>
undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution. 
Remote attackers are able to inject and execute malicious scripts on the host 
machine via crafted payloads to bypass security restrictions.


The option we have are:

  *   Waiting for a new release of freemarker that fixes this CVE
  *   Switching to an other templating engine (which I would like to avoid if 
we can, as this would mean a breach in ascending compatibility due to syntax in 
the templates).

Can you please kindly share if this issue is being actively worked on ? If it 
is, do you have a tentative date for the next release ?

Many thanks and kind regards,

Arnaud DEMARCQ


--
Best regards,
Daniel Dekany


--
Best regards,
Daniel Dekany


--
Best regards,
Daniel Dekany

Reply via email to