Uploaded image for project: 'Velocity Tools'
  1. Velocity Tools
  2. VELTOOLS-170

Upgrade beanutils to 1.9.3 & supress access to class and Class

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.0
    • 3.0
    • Build
    • None

    Description

      Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and mitigate CVE-2014-0114. See BEANUTILS-463 for fix info.

      Velocity Tools v2.0 currently uses bean-utils v1.7.0

      Whilst the CVE text references beanutils v1.8.0, Black Duck Hub threat analysis have updated affected versions to include 1.7.0.

      Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

      CVSS Version 2 Metrics:

      Access Vector: Network exploitable
      Access Complexity: Low
      Authentication: Not required to exploit
      Impact Type:

      • Allows unauthorized disclosure of information
      • Allows unauthorized modification
      • Allows disruption of service

      Edit: 28th November 2016

      Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November 2016). From the vulnerability information provided (and highlighting in red the bit that applies to Velocity Tools):

      Explanation

      Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class and Class properties is not suppressed, exposing them by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution.

      Detection

      If you are the calling application, you are vulnerable by running this component without filtering the property names class and Class. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control.

      Note: If you are using the built-in implementation of SuppressPropertiesBeanIntrospector added in version 1.9.2 of commons-beanutils as your mitigation you are still vulnerable. Although the built-in implementation specifically suppresses the class properly, it does not also suppress Class.

      Recommendation

      Although commons-beanutils offers a built-in implementation of SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically suppresses the “class” properly, it does not also suppress “Class”. Due to this insufficient fix which is also not enabled by default, we recommend implementing your own custom mitigating control such as the one found here -

      https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.

      Attachments

        Activity

          People

            cbrisson Claude Brisson
            marks Mark Symons
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: