[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201407080220.s682KJS5003716@linus.mitre.org>
Date: Mon, 7 Jul 2014 22:20:19 -0400 (EDT)
From: cve-assign@...re.org
To: djorm@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> http://openwall.com/lists/oss-security/2014/06/15/10
> "A specialized BeanIntrospector implementation has been added which
> allows suppressing properties. There is also a pre-configured instance
> removing the class property from beans. Some notes have been added to
> the user's guide."
>
> I think it would be appropriate to assign a CVE ID to this issue
As far as we can tell, these are the specific commons-beanutils changes
for which you proposed to have a CVE ID:
http://svn.apache.org/viewvc?view=revision&revision=1597345
http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/package-info.java?r1=1597345&r2=1597344&pathrev=1597345
Because the class property is undesired in many use cases there is
already an instance of SuppressPropertiesBeanIntrospector which is
configured to suppress this property.
http://svn.apache.org/viewvc?view=revision&revision=1597344
http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?r1=1597344&r2=1597343&pathrev=1597344
public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
http://svn.apache.org/viewvc?view=revision&revision=1597343
http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?revision=1597343&view=co&pathrev=1597343
public class SuppressPropertiesBeanIntrospector implements BeanIntrospector
(Note that the last version of Apache Struts 1, version 1.3.10,
bundles commons-beanutils-1.8.0.jar in its lib directory. The 1.8.0
codebase obviously does not have the recently introduced
SuppressPropertiesBeanIntrospector class. To the extent that "The root
cause of this [CVE-2014-0114] flaw is that commons-beanutils exposes
the class property by default," we have a situation with the same
problem in two copies of the same original codebase, i.e., the copy
bundled in struts-1.3.10-all.zip from
http://struts.apache.org/download.cgi and the copy found at the
http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-1.9.1-src.zip
URL. In this context, the same problem cannot be represented by two
different CVE IDs.)
The entire set of changes from the above http://svn.apache.org URLs
makes it easier to use commons-beanutils safely, but it does not
change the default configuration or behavior in any way, and is thus
not eligible for a CVE ID.
In particular, the 1597344 change has this documentation:
Adding this instance as BeanIntrospector to an instance of
PropertyUtilsBean suppresses the class property; it can then no
longer be accessed.
This is an additional step that would need to be followed for any
currently shipped product that relies on commons-beanutils. Simply
picking up version 1.9.2 does not solve the problem. The product's
source code must additionally be modified by (for example) changing
or adding an addBeanIntrospector method call.
Points that you raise, such as:
- This would provide framework developers with the necessary
information and impetus to upgrade
- The commons-beanutils patch could be inherited by other frameworks
that may not have the resources to produce their own patch
are worthwhile, but the scope of the CVE project does not include
IDs that exist only for a communication/outreach goal.
We are proceeding in this way:
- immediately REJECT CVE-2014-3540 because, at the level of
abstraction used by CVE, a second CVE ID is not required
- at the same time, change the CVE-2014-0114 description and
references to emphasize your important finding about the root
cause. For example, the new CVE-2014-0114 description may be
similar to:
Apache Commons BeanUtils, as distributed in
lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through
1.3.10 and in other products requiring commons-beanutils through
1.9.2, does not suppress the class property, which allows remote
attackers to "manipulate" the ClassLoader and execute arbitrary
code via the class parameter, as demonstrated by the passing of
this parameter to the getClass method of the ActionForm object in
Struts 1.
If any other product makes a security announcement that they have
added
addBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS)
or equivalent code as a change to the default behavior, then there can
be an individual CVE ID for that product. However, if any other product
simply makes a security announcement that they have decided to ship
commons-beanutils 1.9.2 -- but the class property remains exposed in
the product as it is shipped and installed by default -- then a CVE ID
would not be assigned.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJTu1Q8AAoJEKllVAevmvmsbboH/1V6JmrC2teZ9IUlxUJhJMq+
LK12/O3Iwfwevj0qaf8NuLhFi/wfCqURpMl2RbeeEC+xsYFY0VaJpZF7ixIRaMuB
dh6Ix5Qe/hEeOFJDLOuMkT4m41mN8dItwfv/iQw2qkWn/+DOUsvMf2pxxLzUN/M8
yBPCtx0QK83CS/utM3FQmmQEN2V9eVqNLijgLLgt2xR1boJXr9PFWiMOf2mov2y/
FVOc/CkLQa/AOfB8yee7gujmQwekKb8hLpEdWdPMWNkKFwsIhHc5UJBS366z96Yv
B5P1xZwBqAMpdAgo2dGXrUSBLdeAa/XOJMXeoJBz+fskXdst4AsTMgBTxPer5OI=
=tvsw
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
