Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <539E20A0.3030708@redhat.com>
Date: Mon, 16 Jun 2014 08:39:28 +1000
From: David Jorm <djorm@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request for commons-beanutils: 'class' property is exposed, potentially
 leading to RCE

Hi All

I have raised this twice with security@...che.org, on 30 April and June 
3. I have received no response either time, therefore I am raising it on 
oss-security.

CVE-2014-0114 describes a well-known issue in Apache Struts 1:

"It was found that the Struts 1 ActionForm object allowed access to the 
'class' parameter, which is directly mapped to the getClass() method. A 
remote attacker could use this flaw to manipulate the ClassLoader used 
by an application server running Struts 1. This could lead to remote 
code execution under certain conditions."

The root cause of this flaw is that commons-beanutils exposes the class 
property by default, with no mechanism to disable access to it. Struts 1 
is considered EOL upstream, and upstream has not yet shipped a patch for 
this flaw. Red Hat has shipped a patch, which was submitted upstream as 
a pull request:

https://github.com/apache/struts1/pull/1

This patch disables access to the class property in struts itself, 
rather than in commons-beanutils. Other frameworks built on 
commons-beanutils, such as Apache Stripes, are likely to expose similar 
issues. I think it would be a good idea to also assign a separate CVE ID 
to commons-beanutils, and ship a patch for commons-beanutils itself. The 
commons-beanutils patch could be inherited by other frameworks that may 
not have the resources to produce their own patch.

commons-beanutils 1.9.2 has now shipped:

http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt

Incorporating a patch for this issue:

https://issues.apache.org/jira/browse/BEANUTILS-463

"A specialized BeanIntrospector implementation has been added which 
allows suppressing properties. There is also a pre-configured instance 
removing the class property from beans. Some notes have been added to 
the user's guide."

I think it would be appropriate to assign a CVE ID to this issue in 
commons-beanutils, and publish an advisory. This would provide framework 
developers with the necessary information and impetus to upgrade to 
commons-beanutils 1.9.2 and make use of SuppressPropertiesBeanIntrospector.

Thanks
--
David Jorm / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.