[jira] [Comment Edited] (VELTOOLS-170) Upgrade beanutils to 1.9.2 & supress access to class and Class

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Comment Edited] (VELTOOLS-170) Upgrade beanutils to 1.9.2 & supress access to class and Class

Velocity - Dev mailing list-2

    [ https://issues.apache.org/jira/browse/VELTOOLS-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16105277#comment-16105277 ]

Jon Harper edited comment on VELTOOLS-170 at 7/28/17 4:45 PM:
--------------------------------------------------------------

bq. Although commons-beanutils offers a built-in implementation of SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically suppresses the “class” properly, it does not also suppress “Class”. Due to this insufficient fix which is also not enabled by default, we recommend implementing your own custom mitigating control such as the one found here -

From my tests, commons-beanutils doesn't access getClass() when using "Class". The only thing that works is using "class".
So can you confirm that SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS is an actually a "sufficient fix", contrary to what you said earlier ? ( Was this just confusion with struts2 which uses OGNL which has different rules than commons-beanutils ?)

Here are the logs I get from beanutils when using "class" vs "Class":
"class":
{noformat}
beanutils.BeanUtils - BeanUtils.populate(com.example.business.Project@3971f0dc, {Class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=[Ljava.lang.String;@XXXXXXXX})
beanutils.BeanUtils -   setProperty(com.example.business.Project@3971f0dc, Class.classLoader.resources.context.parent.pipeline.first.fileDateFormat, [12])
beanutils.MethodUtils - Matching name=getClass on class com.example.business.Project
beanutils.MethodUtils - Found matching name:
beanutils.MethodUtils - public final native java.lang.Class java.lang.Object.getClass()
beanutils.MethodUtils - No match found.
beanutils.MethodUtils - Matching name=isClass on class com.example.business.Project
beanutils.MethodUtils - No match found.
{noformat}

"Class"
{noformat}
beanutils.BeanUtils - BeanUtils.populate(com.example.business.Project@3971f0dc, {class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=[Ljava.lang.String;@XXXXXXXX})
beanutils.BeanUtils -   setProperty(com.example.business.Project@3971f0dc, class.classLoader.resources.context.parent.pipeline.first.fileDateFormat, [12])
beanutils.BeanUtils -     Target bean = org.apache.catalina.valves.AccessLogValve[localhost]
beanutils.BeanUtils -     Target name = fileDateFormat
beanutils.ConvertUtils - Convert string '12' to class 'java.lang.String'
beanutils.ConvertUtils -   Using converter ConverterFacade[StringConverter[UseDefault=true]]
converters.StringConverter - Converting 'String' value '12' to type 'String'
beanutils.PropertyUtils - setSimpleProperty: Invoking method public void org.apache.catalina.valves.AccessLogValve.setFileDateFormat(java.lang.String) with value 12 (class java.lang.String)
{noformat}

Tested with commons-beanutils-1.9.3.jar

Thanks in advance


was (Author: jonenst):
bq. Although commons-beanutils offers a built-in implementation of SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically suppresses the “class” properly, it does not also suppress “Class”. Due to this insufficient fix which is also not enabled by default, we recommend implementing your own custom mitigating control such as the one found here -

From my tests, commons-beanutils doesn't access getClass() when using "Class". The only thing that works is using "class".
So can you confirm that SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS is an actually a "sufficient fix", contrary to what you said earlier ? ( Was this just confusion with struts2 which uses OGNL which has different rules than commons-beanutils ?)

Here are the logs I get from beanutils when using "class" vs "Class":
"class":
{noformat}
beanutils.BeanUtils - BeanUtils.populate(com.example.business.Project@3971f0dc, {Class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=[Ljava.lang.String;@XXXXXXXX})
beanutils.BeanUtils -   setProperty(com.example.business.Project@3971f0dc, Class.classLoader.resources.context.parent.pipeline.first.fileDateFormat, [12])
beanutils.MethodUtils - Matching name=getClass on class com.example.business.Project
beanutils.MethodUtils - Found matching name:
beanutils.MethodUtils - public final native java.lang.Class java.lang.Object.getClass()
beanutils.MethodUtils - No match found.
beanutils.MethodUtils - Matching name=isClass on class com.example.business.Project
beanutils.MethodUtils - No match found.
{noformat}

"Class"
{noformat}
beanutils.BeanUtils - BeanUtils.populate(com.example.business.Project@3971f0dc, {class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=[Ljava.lang.String;@XXXXXXXX})
beanutils.BeanUtils -   setProperty(com.example.business.Project@3971f0dc, class.classLoader.resources.context.parent.pipeline.first.fileDateFormat, [12])
beanutils.BeanUtils -     Target bean = org.apache.catalina.valves.AccessLogValve[localhost]
beanutils.BeanUtils -     Target name = fileDateFormat
beanutils.ConvertUtils - Convert string '12' to class 'java.lang.String'
beanutils.ConvertUtils -   Using converter ConverterFacade[StringConverter[UseDefault=true]]
converters.StringConverter - Converting 'String' value '12' to type 'String'
beanutils.PropertyUtils - setSimpleProperty: Invoking method public void org.apache.catalina.valves.AccessLogValve.setFileDateFormat(java.lang.String) with value 12 (class java.lang.String)
{noformat}

Thanks in advance

> Upgrade beanutils to 1.9.2 & supress access to class and Class
> --------------------------------------------------------------
>
>                 Key: VELTOOLS-170
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-170
>             Project: Velocity Tools
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 2.0
>            Reporter: Mark Symons
>            Priority: Critical
>
> Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and mitigate CVE-2014-0114.   See BEANUTILS-463 for fix info.
> Velocity Tools v2.0 currently uses bean-utils v1.7.0
> Whilst the CVE text references beanutils v1.8.0,  Black Duck Hub threat analysis have updated affected versions to include 1.7.0.
> {quote}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
> {quote}
> h5.CVSS Version 2 Metrics:
> Access Vector: Network exploitable
> Access Complexity: Low
> Authentication: Not required to exploit
> Impact Type:
> * Allows unauthorized disclosure of information
> * Allows unauthorized modification
> * Allows disruption of service
> h3.Edit: 28th November 2016
> Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November 2016).  From the vulnerability information provided (and highlighting in red the bit that applies to Velocity Tools):
> {quote}
> h4.Explanation
> Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the {{class}} and {{Class}} properties is not suppressed, exposing them by default. An attacker can construct malicious input using the {{class property}} in order to manipulate the {{ClassLoader}} potentially leading to arbitrary code execution.
> h4.Detection
> {color:red}If you are the calling application, you are vulnerable by running this component without filtering the property names {{class}} and {{Class}}{color}. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control.
> Note: If you are using the built-in implementation of {{SuppressPropertiesBeanIntrospector}} added in version 1.9.2 of {{commons-beanutils}} as your mitigation you are still vulnerable. Although the built-in implementation specifically suppresses the {{class}} properly, it does not also suppress {{Class}}.
> h4.Recommendation
> Although commons-beanutils offers a built-in implementation of SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically suppresses the “class” properly, it does not also suppress “Class”. Due to this insufficient fix which is also not enabled by default, we recommend implementing your own custom mitigating control such as the one found here -
> https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]