I have one thing to add. While it would be best to upgrade to this hotfix
release for now, if you can't do that and you're on Stripes 1.5.x and
you're not already using @StrictBinding then you can add this annotation to
your base ActionBean(s) to mitigate the issue.
@StrictBinding(defaultPolicy = Policy.ALLOW, deny = "class.**,**.class.**")
This will prevent access to the class loader via the "class" property. If
there are other paths to the class loader, they can be addressed similarly.
-Ben
On Tue, Apr 29, 2014 at 6:51 AM, VANKEISBELCK Remi <r...@rvkb.com> wrote:
> Hi all,
>
> Fellow Stripers have recently pointed out a pretty scary security flaw in
> Stripes. Thanks a lot to them for the reports, we all owe you guys !
>
> In short, it's about using Data Binding to manipulate the application's
> ClassLoader, and allows an attacker to execute random code on the server,
> or DoS it. Pretty bad stuff to say the least...
>
> It's been discovered first in Struts, and applies to Stripes too. It
> affects all released versions.
> Some info :
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
>
> If you use @StrictBinding+@Validate everywhere (which you should do
> anyway, classLoader manipulation or not), then you're safe : binding to
> getClass().getClassLoader() will be denied.
>
> If you don't, then you don't expose your data only : you have this
> classLoader manipulation problem too.
>
> Ben has fixed this bug for 1.5.8-SNAPSHOT and 1.6.0-SNAPSHOT, so future
> releases will be safe.
>
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
> We have released a hotfix over 1.5.7 :
>
>
> http://repo1.maven.org/maven2/net/sourceforge/stripes/stripes/1.5.7-classloaderfix/
>
> <dependency>
> <groupId>net.sourceforge.stripes</groupId>
> <artifactId>stripes</artifactId>
> <version>1.5.7-classloaderfix</version>
> </dependency>
>
> It's just a 1.5.7 rebuilt with Ben's fix for the classLoader issue. It is
> a private, implementation fix (no API changed), so there should be no
> regressions.
>
> We encourage everybody to upgrade ASAP.
>
> Cheers
>
> RĂ©mi - on behalf of the dev. team.
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Stripes-development mailing list
> stripes-developm...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
