[
https://issues.apache.org/jira/browse/VELTOOLS-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Symons updated VELTOOLS-170:
---------------------------------
Description:
Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and mitigate
CVE-2014-0114. See BEANUTILS-463 for fix info.
Velocity Tools v2.0 currently uses bean-utils v1.7.0
Whilst the CVE text references beanutils v1.8.0, Black Duck Hub threat
analysis have updated affected versions to include 1.7.0.
{quote}
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in
Apache Struts 1.x through 1.3.10 and in other products requiring
commons-beanutils through 1.9.2, does not suppress the class property, which
allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
code via the class parameter, as demonstrated by the passing of this parameter
to the getClass method of the ActionForm object in Struts 1.
{quote}
h5.CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:
* Allows unauthorized disclosure of information
* Allows unauthorized modification
* Allows disruption of service
h3.Edit: 28th November 2016
Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November
2016). From the vulnerability information provided (and highlighting in red
the bit that applies to Velocity Tools):
{quote}
h4.Explanation
Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can
lead to Remote Code Execution (RCE). Access to the {{class}} and {{Class}}
properties is not suppressed, exposing them by default. An attacker can
construct malicious input using the {{class property}} in order to manipulate
the {{ClassLoader}} potentially leading to arbitrary code execution.
h4.Detection
{color:red}If you are the calling application, you are vulnerable by running
this component without filtering the property names {{class}} and
{{Class}}{color}. If this is a transitive dependency, you will want to contact
the parent project to ensure they have added a mitigating control.
Note: If you are using the built-in implementation of
{{SuppressPropertiesBeanIntrospector}} added in version 1.9.2 of
{{commons-beanutils}} as your mitigation you are still vulnerable. Although the
built-in implementation specifically suppresses the {{class}} properly, it does
not also suppress {{Class}}.
h4.Recommendation
Although commons-beanutils offers a built-in implementation of
SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically
suppresses the “class” properly, it does not also suppress “Class”. Due to this
insufficient fix which is also not enabled by default, we recommend
implementing your own custom mitigating control such as the one found here -
https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
{quote}
was:
Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and mitigate
CVE-2014-0114. See BEANUTILS-463 for fix info.
Velocity Tools v2.0 currently uses bean-utils v1.7.0
Whilst the CVE text references beanutils v1.8.0, Black Duck Hub threat
analysis have updated affected versions to include 1.7.0.
{quote}
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in
Apache Struts 1.x through 1.3.10 and in other products requiring
commons-beanutils through 1.9.2, does not suppress the class property, which
allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
code via the class parameter, as demonstrated by the passing of this parameter
to the getClass method of the ActionForm object in Struts 1.
{quote}
h5.CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:
* Allows unauthorized disclosure of information
* Allows unauthorized modification
* Allows disruption of service
h3.Edit: 28th November 2016
Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November
2016).
h4.Explanation
Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can
lead to Remote Code Execution (RCE). Access to the class and Class properties
is not suppressed, exposing them by default. An attacker can construct
malicious input using the class property in order to manipulate the ClassLoader
potentially leading to arbitrary code execution.
h4.Detection
If you are the calling application, you are vulnerable by running this
component without filtering the property names class and Class. If this is a
transitive dependency, you will want to contact the parent project to ensure
they have added a mitigating control.
Note: If you are using the built-in implementation of
SuppressPropertiesBeanIntrospector added in version 1.9.2 of commons-beanutils
as your mitigation you are still vulnerable. Although the built-in
implementation specifically suppresses the class properly, it does not also
suppress Class.
h4.Recommendation
Although commons-beanutils offers a built-in implementation of
SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically
suppresses the “class” properly, it does not also suppress “Class”. Due to this
insufficient fix which is also not enabled by default, we recommend
implementing your own custom mitigating control such as the one found here -
https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
> Upgrade beanutils to 1.9.2
> --------------------------
>
> Key: VELTOOLS-170
> URL: https://issues.apache.org/jira/browse/VELTOOLS-170
> Project: Velocity Tools
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.0
> Reporter: Mark Symons
> Priority: Critical
>
> Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and
> mitigate CVE-2014-0114. See BEANUTILS-463 for fix info.
> Velocity Tools v2.0 currently uses bean-utils v1.7.0
> Whilst the CVE text references beanutils v1.8.0, Black Duck Hub threat
> analysis have updated affected versions to include 1.7.0.
> {quote}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
> in Apache Struts 1.x through 1.3.10 and in other products requiring
> commons-beanutils through 1.9.2, does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
> code via the class parameter, as demonstrated by the passing of this
> parameter to the getClass method of the ActionForm object in Struts 1.
> {quote}
> h5.CVSS Version 2 Metrics:
> Access Vector: Network exploitable
> Access Complexity: Low
> Authentication: Not required to exploit
> Impact Type:
> * Allows unauthorized disclosure of information
> * Allows unauthorized modification
> * Allows disruption of service
> h3.Edit: 28th November 2016
> Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November
> 2016). From the vulnerability information provided (and highlighting in red
> the bit that applies to Velocity Tools):
> {quote}
> h4.Explanation
> Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can
> lead to Remote Code Execution (RCE). Access to the {{class}} and {{Class}}
> properties is not suppressed, exposing them by default. An attacker can
> construct malicious input using the {{class property}} in order to manipulate
> the {{ClassLoader}} potentially leading to arbitrary code execution.
> h4.Detection
> {color:red}If you are the calling application, you are vulnerable by running
> this component without filtering the property names {{class}} and
> {{Class}}{color}. If this is a transitive dependency, you will want to
> contact the parent project to ensure they have added a mitigating control.
> Note: If you are using the built-in implementation of
> {{SuppressPropertiesBeanIntrospector}} added in version 1.9.2 of
> {{commons-beanutils}} as your mitigation you are still vulnerable. Although
> the built-in implementation specifically suppresses the {{class}} properly,
> it does not also suppress {{Class}}.
> h4.Recommendation
> Although commons-beanutils offers a built-in implementation of
> SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically
> suppresses the “class” properly, it does not also suppress “Class”. Due to
> this insufficient fix which is also not enabled by default, we recommend
> implementing your own custom mitigating control such as the one found here -
> https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
