Re: [xstream-dev] XStream deserialization vulnerability - Sonatype patch

Tue, 14 Jan 2014 16:12:36 -0800 

Hi  Jörg,

In Nexus our use of xstream deserialization resulted in a vulnerability which 
allowed remote execution of arbitrary binaries on the server for some versions 
of Nexus.

Given the severity of this vulnerability we felt that we needed to have a fix 
in place immediately for our customers at the time we made this public. 

Consequentially we felt that we couldn't go through the normal process, which 
would be to work with you directly.

None of us were happy about this, but we felt there was no alternative.   

I do apologize though, I can certainly understand your feelings on this matter.

Regards,

Rich
On Jan 14, 2014, at 5:53 PM, Jörg Schaible <[email protected]> wrote:

> Hi Rich,
> 
> Richard Seddon wrote:
> 
>> 
>> Just thought I'd let you know that we released a patched version of
>> XStream to address the vulnerability our use of XStream deserialization
>> caused in Sonatype Nexus.
>> 
>> The code can be found here:
>> 
>> https://github.com/sonatype/xstream-whitelist
>> 
>> This code is designed specifically for use in Nexus, it isn't intended as
>> for use in other projects.
>> 
>> A high level overview of it is here (this link is for end users, so is
>> simplified a lot):
>> 
>> https://sonatype.zendesk.com/entries/37551958-Configuring-Xstream-Whitelist
>> 
>> If any of the code in the github repo is of use to you please feel free to
>> take it.
> 
> Well, normally I am happy, if someone contributes code, but here I wonder, 
> why suddenly an alternate implementation is presented to the existing one, 
> without further notice before, that you want to work on the stuff or which 
> requirements were not met with the existing code.
> 
> You implemented actually a slightly different approach than that what we 
> have in trunk. We have similar possibilities to allow/deny types. 
> Configuration will follow our standard pattern using the XStream facade. 
> Documentation is not finished and trunk has to be merged into the 1.4.x 
> branch, but that's done as soon as possible.
> 
> Regards,
> Jörg
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
> 
>    http://xircles.codehaus.org/manage_email
> 
> 


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Reply via email to