Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 7 Jul 2014 22:20:19 -0400 (EDT)
From: cve-assign@...re.org
To: djorm@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://openwall.com/lists/oss-security/2014/06/15/10

> "A specialized BeanIntrospector implementation has been added which
> allows suppressing properties. There is also a pre-configured instance
> removing the class property from beans. Some notes have been added to
> the user's guide."
>
> I think it would be appropriate to assign a CVE ID to this issue

As far as we can tell, these are the specific commons-beanutils changes
for which you proposed to have a CVE ID:

   http://svn.apache.org/viewvc?view=revision&revision=1597345
   http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/package-info.java?r1=1597345&r2=1597344&pathrev=1597345

   Because the class property is undesired in many use cases there is
   already an instance of SuppressPropertiesBeanIntrospector which is
   configured to suppress this property.



   http://svn.apache.org/viewvc?view=revision&revision=1597344
   http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?r1=1597344&r2=1597343&pathrev=1597344

   public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
   new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));



   http://svn.apache.org/viewvc?view=revision&revision=1597343
   http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?revision=1597343&view=co&pathrev=1597343

   public class SuppressPropertiesBeanIntrospector implements BeanIntrospector


(Note that the last version of Apache Struts 1, version 1.3.10,
bundles commons-beanutils-1.8.0.jar in its lib directory. The 1.8.0
codebase obviously does not have the recently introduced
SuppressPropertiesBeanIntrospector class. To the extent that "The root
cause of this [CVE-2014-0114] flaw is that commons-beanutils exposes
the class property by default," we have a situation with the same
problem in two copies of the same original codebase, i.e., the copy
bundled in struts-1.3.10-all.zip from
http://struts.apache.org/download.cgi and the copy found at the
http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.1-src.zip
URL. In this context, the same problem cannot be represented by two
different CVE IDs.)

The entire set of changes from the above http://svn.apache.org URLs
makes it easier to use commons-beanutils safely, but it does not
change the default configuration or behavior in any way, and is thus
not eligible for a CVE ID.

In particular, the 1597344 change has this documentation:

   Adding this instance as BeanIntrospector to an instance of
   PropertyUtilsBean suppresses the class property; it can then no
   longer be accessed.

This is an additional step that would need to be followed for any
currently shipped product that relies on commons-beanutils. Simply
picking up version 1.9.2 does not solve the problem. The product's
source code must additionally be modified by (for example) changing
or adding an addBeanIntrospector method call.

Points that you raise, such as:

 - This would provide framework developers with the necessary
   information and impetus to upgrade

 - The commons-beanutils patch could be inherited by other frameworks
   that may not have the resources to produce their own patch

are worthwhile, but the scope of the CVE project does not include
IDs that exist only for a communication/outreach goal.

We are proceeding in this way:

  - immediately REJECT CVE-2014-3540 because, at the level of
    abstraction used by CVE, a second CVE ID is not required

  - at the same time, change the CVE-2014-0114 description and
    references to emphasize your important finding about the root
    cause. For example, the new CVE-2014-0114 description may be
    similar to:

    Apache Commons BeanUtils, as distributed in
    lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through
    1.3.10 and in other products requiring commons-beanutils through
    1.9.2, does not suppress the class property, which allows remote
    attackers to "manipulate" the ClassLoader and execute arbitrary
    code via the class parameter, as demonstrated by the passing of
    this parameter to the getClass method of the ActionForm object in
    Struts 1.

If any other product makes a security announcement that they have
added
addBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS)
or equivalent code as a change to the default behavior, then there can
be an individual CVE ID for that product. However, if any other product
simply makes a security announcement that they have decided to ship
commons-beanutils 1.9.2 -- but the class property remains exposed in
the product as it is shipped and installed by default -- then a CVE ID
would not be assigned.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTu1Q8AAoJEKllVAevmvmsbboH/1V6JmrC2teZ9IUlxUJhJMq+
LK12/O3Iwfwevj0qaf8NuLhFi/wfCqURpMl2RbeeEC+xsYFY0VaJpZF7ixIRaMuB
dh6Ix5Qe/hEeOFJDLOuMkT4m41mN8dItwfv/iQw2qkWn/+DOUsvMf2pxxLzUN/M8
yBPCtx0QK83CS/utM3FQmmQEN2V9eVqNLijgLLgt2xR1boJXr9PFWiMOf2mov2y/
FVOc/CkLQa/AOfB8yee7gujmQwekKb8hLpEdWdPMWNkKFwsIhHc5UJBS366z96Yv
B5P1xZwBqAMpdAgo2dGXrUSBLdeAa/XOJMXeoJBz+fskXdst4AsTMgBTxPer5OI=
=tvsw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ