Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block two more gadget types (commons-configuration/-2) #2462

Closed
ybhou1993 opened this issue Sep 19, 2019 · 9 comments
Closed

Block two more gadget types (commons-configuration/-2) #2462

ybhou1993 opened this issue Sep 19, 2019 · 9 comments
Milestone

Comments

@ybhou1993
Copy link

ybhou1993 commented Sep 19, 2019

Another gadget (*) type report regarding a class of commons-configuration (and later commons-configuration2) package(s)

Mitre id: not yet allocated
Reporter: @ybhou1993

Fixed in:

  • 2.9.10 and later
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

@cowtowncoder

This comment has been minimized.

@cowtowncoder cowtowncoder added need-test-case To work on issue, a reproduction (ideally unit test) needed 2.10 labels Sep 19, 2019
@melloware
Copy link

melloware commented Sep 20, 2019

Since you mentioned commons config 1.9 you might also want to block commons-configuration2 which is a different class.

org.apache.commons.configuration2.JNDIConfiguration

@ybhou1993

This comment has been minimized.

@cowtowncoder
Copy link
Member

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

@ybhou1993
Copy link
Author

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I agree what you said. Besides, I wonder to know if 2.9.10 version would be released in mid-October or later?

@ybhou1993
Copy link
Author

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I have send a email to [email protected]. The article is written in Chinese, published in a china security community

@cowtowncoder
Copy link
Member

I hope 2.9.10 can released early in October, in first part. I just want to wait for 2.10.0 to get out first.
Thank you for sending more details, that should be helpful.

@cowtowncoder cowtowncoder removed the need-test-case To work on issue, a reproduction (ideally unit test) needed label Sep 20, 2019
@cowtowncoder cowtowncoder modified the milestones: 2.9,0.pr4, 2.9.10 Sep 20, 2019
@cowtowncoder
Copy link
Member

cowtowncoder commented Sep 20, 2019

Ok, so, commons-configuration (and -2) seem plausible via setProperty() (as per article) so I added blocks.
This issue shall remain for those ones.

I filed Xalan part under #2469

@cowtowncoder cowtowncoder changed the title new gadgets which can cause RCE Block two more gadget type (commons-configuration/-2) Sep 20, 2019
@cowtowncoder cowtowncoder changed the title Block two more gadget type (commons-configuration/-2) Block two more gadget types (commons-configuration/-2) Sep 27, 2019
@cowtowncoder
Copy link
Member

2.9.10 not released, contains blocks. 2.10.0 released, does contain block, but not considered vulnerable since "enableDefaultTyping()" deprecated, safe "activateDefaultTyping()" added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants