ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: Fortify Open Review Project - Apache .NET Ant 1.1
Date Fri, 13 Nov 2015 08:48:25 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2015-11-11, Fortify Open Review Project wrote:

> The HP Fortify Open Review team has assessed Apache .NET Ant 1.1 for
> possible security vulnerabilities and the results of your assessment
> is attached.  It is HP's policy to make all results public on our
> Fortify on Demand website within 60 days from the date of this
> notification.

Since you sent the report to the public dev@ant.apache.org mailing list
the report would already been disclosed if the list was set up to allow
posts by non-subscribers.

Please see <http://ant.apache.org/security.html> and
<http://www.apache.org/security/> for ways to report security
vulnerabilities.

It is the experience of the Apache Software Foundation that
static analysis tools -  including Fortify - generate very large
numbers of false positives and very few - if any - valid vulnerability
reports when run against code. Therefore, the Apache Software
Foundation does not accept any vulnerability reports generated from a
static analysis tool unless that vulnerability report is backed up
with manual analysis that demonstrates how the claimed vulnerability
might be exploited.

The vulnerabilities detected by Fortify for the .NET Antlib are false
positives.

Ant is a tool used to build software projects, given the nature of this
tool, using ant typically the following actions can be taken:
  - file system access, including writing files (as far as permitted to the
user running ant)
  - the execution of executables (as far as permitted to the user running
ant)
  - compilation of new software
  - execution of software compiled using ant

This basically means that using ant it is quite easy to execute arbitrary
executables. The string comparison is not used to prevent (or ensure)
certain binaries are executed. 

In case Ant is used as part of a server process, be aware that by accepting
build files you are basically prone to a open remote code execution
vulnerability. While this may be acceptable for build / continuous
integration servers (probably with some kind of accountability) this would
normally not be acceptable outside a development enivironment.

This implies an attack based on casing errors cannot be considered a
security vulnerability in Ant (as an attacker could easily use ant to
execute random code, including code to starve the CPU, or even to post all
of you files to a newsgroup, building and executing code is core
functionality of ant)

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAlZFo88ACgkQohFa4V9ri3I7TwCgzB2b51seYPgawxwaACiDsS3A
/FEAn1YRe/Yxtag88SXhEfa9mT4IASH/
=NtpI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message