Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <536fea8d-f1e3-0914-49e7-a0961abce35c@apache.org>
Date: Tue, 18 Apr 2023 11:15:52 +0200
From: Jacques Le Roux <jleroux@...che.org>
To: oss-security@...ts.openwall.com
Cc: Arnout Engelen <engelen@...che.org>, seth.arnold@...onical.com,
 "security@...che.org" <security@...che.org>,
 "security@...iz.apache.org" <security@...iz.apache.org>
Subject: Re: CVE-2022-47501: Apache OFBiz: Arbitrary file
 reading vulnerability

Hi Seth,

I used to give more information. For this one, using our "new" internal process* (need an ASF credential) and  following step 11 of**, notably

    <<Generally, reports should contain enough information to enable people to assess the risk the vulnerability poses for their own system, and no
    more.>>

I restricted the information to a minimum.

With a request from Arnoult (member of the ASF security team in copy), there is though 2 points that have been changed since.

When sending to Mitre we replaced
https://lists.apache.org/list.html?announce@apache.org
by
https://lists.apache.org/thread/k8s76l0whydy45bfm4b69vq0mf94p3wc

You can see the result at https://www.cve.org/CVERecord?id=CVE-2022-47501

We also changed the "problem type" to be more specific. Following the CWE classification, we used "CWE-22 Improper Limitation of a Pathname to a 
Restricted Directory ('Path Traversal')" rather than "Arbitrary file reading vulnerability" used by the finder who stayed as the CVE title. You can 
see it at https://cveawg.mitre.org/api/cve/CVE-2022-47501 which is the json version of the report.

Regarding your points:

  * the vulnerability was introduced long ago (years) when the plugin was created. It was around 2013.
  * https://ofbiz.apache.org/security.html gives indirect information about the fix. Do you suggest that we need to put a direct link like
    https://github.com/apache/ofbiz-plugins/commit/582add7d3 ?

Thanks for the links. We will certainly consider what can be done to ease the work of downstream distributors and consumers.

Jacques

* https://cveprocess.apache.org/cve5/CVE-2022-47501
** https://www.apache.org/security/committers.html#vulnerability-handling

Le 18/04/2023 à 03:27, Seth Arnold a écrit :
> On Mon, Apr 10, 2023 at 09:21:11AM +0000, Jacques Le Roux wrote:
>> https://lists.apache.org/list.html?announce@apache.org
>> https://ofbiz.apache.org/download.html
>> https://ofbiz.apache.org/security.html
>> https://ofbiz.apache.org/
>> https://www.cve.org/CVERecord?id=CVE-2022-47501
> Hello Jacques, thanks for contacting the oss-security mail list about this
> security issue in an Apache project.
>
> I'd like to suggest that your email would be far more useful if
> it included some details like affected versions: ideally, when a
> vulnerability was introduced, and definitely, when it was fixed, if a
> fix is available. Best would be a direct link to a patch in a source
> control system, or attaching the patch directly.
>
> This particular email has very few details and no references for a fix so
> it is very difficult for anyone to take concrete actions.
>
> Here's two recent postings that are far easier for downstream distributors
> and consumers alike to use:
> https://www.openwall.com/lists/oss-security/2023/04/04/1
> https://www.openwall.com/lists/oss-security/2023/03/21/3
>
> I'd like to encourage Apache to use these as inspiration for future
> oss-security postings.
>
> Thanks
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.