flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christofer Dutz <christofer.d...@c-ware.de>
Subject Re: Security vulnerabilities in BlazeDS 4.7.2
Date Mon, 21 Nov 2016 21:50:31 GMT
Hi Oleg,

it seems these issues are not related to BlazeDS ... the flex-messaging-opt-tomcat7-4.7.2.jar
for example contains only one class.
The CVEs reported by that tool seem to all be related to tomcat. We can’t do much about
that. Also as far ar I know there aren’t any CVEs in any of the public lists, which we haven’t

I would suggest to update tomcat and not blazeds.


Am 21.11.16, 16:50 schrieb "olegkon" <olegkon@gmail.com>:

    We are in the process of upgrading BlazeDS in Flex+Java web app,
    because when we run OWASP Dependency Check 1.4.3, it showed a High
    Vulnerabilities in 1 file:
    Dependency  CPE  GAV  Highest Severity CVE Count CPE Confidence Evidence
    cre.war: blazeds-core- cpe:/a:adobe:blazeds:  
    High  2 LOW 7 
    However, when we tried to do the same with Apache BlazeDS 4.7.2, we got even
    more of those:
    cre.war: flex-messaging-core-4.7.2.jar cpe:/a:apache:flex:4.7.2 
    org.apache.flex.blazeds:flex-messaging-core:4.7.2  Medium  1 LOW 16 
    cre.war: flex-messaging-opt-tomcat7-4.7.2.jar cpe:/a:apache:flex:4.7.2 
    org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2  High  59 MEDIUM 16 
    More details (on 4.7.2 - I only put High Severity, there is lots and lots of
    cre.war: flex-messaging-opt-tomcat7-4.7.2.jar
    File Path:
    MD5: 8e188c61285fa087116df2a350571c1c
    SHA1: e34b3ab4b6d72384a44e15b992801bc4849b5412 
    •cpe: cpe:/a:apache:flex:4.7.2   Confidence:LOW   suppress 
    •cpe: cpe:/a:apache:tomcat:7.0.0   Confidence:MEDIUM   suppress 
    •maven: org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2  
    Published Vulnerabilities
    CVE-2016-6325  suppress
    Severity: High 
    CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 
    CWE: CWE-264 Permissions, Privileges, and Access Controls 
    The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web
    Server 3.0, and JBoss EWS 2 uses weak permissions for (1)
    /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local
    users to gain privileges by leveraging membership in the tomcat group. 
    •CONFIRM -
    •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
    •REDHAT - RHSA-2016:2045
    •REDHAT - RHSA-2016:2046
    Vulnerable Software & Versions:
    CVE-2016-5425  suppress
    Severity: High 
    CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 
    CWE: CWE-264 Permissions, Privileges, and Access Controls 
    The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS,
    Oracle Linux, and possibly other Linux distributions uses weak permissions
    for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root
    privileges by leveraging membership in the tomcat group. 
    •BID - 93472
    •CONFIRM -
    •MISC -
    •MISC -
    •MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on
    RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
    OracleLinux, RedHat etc.)
    •REDHAT - RHSA-2016:2046
    Vulnerable Software & Versions:
    CVE-2016-3092  suppress
    Severity: High 
    CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 
    CWE: CWE-20 Improper Input Validation 
    The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
    in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
    and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
    a denial of service (CPU consumption) via a long boundary string. 
    •BID - 91453
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
    •CONFIRM - http://tomcat.apache.org/security-7.html
    •CONFIRM - http://tomcat.apache.org/security-8.html
    •CONFIRM - http://tomcat.apache.org/security-9.html
    •CONFIRM -
    •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •DEBIAN - DSA-3609
    •DEBIAN - DSA-3611
    •DEBIAN - DSA-3614
    •JVN - JVN#89379547
    •JVNDB - JVNDB-2016-000121
    •MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information
    disclosure vulnerability
    •UBUNTU - USN-3024-1
    •UBUNTU - USN-3027-1
    Vulnerable Software & Versions: (show all)
    CVE-2016-1240  suppress
    Severity: High 
    CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 
    CWE: CWE-20 Improper Input Validation 
    The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and
    tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and
    libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the
    tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu
    14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2
    on Ubuntu 16.04 LTS allows local users with access to the tomcat account to
    gain root privileges via a symlink attack on the Catalina log file, as
    demonstrated by /var/log/tomcat7/catalina.out. 
    •BUGTRAQ - 20161001 CVE-2016-1240 - Tomcat packaging on Debian-based distros
    - Local Root Privilege Escalation
    •DEBIAN - DSA-3669
    •DEBIAN - DSA-3670
    •MISC -
    •SECTRACK - 1036845
    •UBUNTU - USN-3081-1
    Vulnerable Software & Versions: (show all)
    CVE-2016-0763  suppress
    Severity: Medium 
    CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) 
    CWE: CWE-264 Permissions, Privileges, and Access Controls 
    The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
    before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
    whether ResourceLinkFactory.setGlobalContext callers are authorized, which
    allows remote authenticated users to bypass intended SecurityManager
    restrictions and read or write to arbitrary application data, or cause a
    denial of service (application disruption), via a web application that sets
    a crafted global context. 
    •BUGTRAQ - 20160222 [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725926
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725929
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725931
    •CONFIRM - http://tomcat.apache.org/security-7.html
    •CONFIRM - http://tomcat.apache.org/security-8.html
    •CONFIRM - http://tomcat.apache.org/security-9.html
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •DEBIAN - DSA-3530
    •DEBIAN - DSA-3552
    •DEBIAN - DSA-3609
    •UBUNTU - USN-3024-1
    Vulnerable Software & Versions: (show all)
    CVE-2014-0230  suppress
    Severity: High 
    CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 
    CWE: CWE-399 Resource Management Errors 
    Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9
    does not properly handle cases where an HTTP response occurs before
    finishing the reading of an entire request body, which allows remote
    attackers to cause a denial of service (thread consumption) via a series of
    aborted upload attempts. 
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603770
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603775
    •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603779
    •CONFIRM - http://tomcat.apache.org/security-6.html
    •CONFIRM - http://tomcat.apache.org/security-7.html
    •CONFIRM - http://tomcat.apache.org/security-8.html
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •DEBIAN - DSA-3530
    •HP - HPSBOV03503
    •HP - HPSBUX03561
    •MLIST - [oss-security] 20150409 Apache Tomcat partial file upload DoS
    •MLIST - [tomcat-announce] 20150505 [SECURITY] CVE-2014-0230: Apache Tomcat
    •REDHAT - RHSA-2016:0595
    •REDHAT - RHSA-2016:0596
    •REDHAT - RHSA-2016:0597
    •REDHAT - RHSA-2016:0598
    •REDHAT - RHSA-2016:0599
    Vulnerable Software & Versions: (show all)
    CVE-2014-0050  suppress
    Severity: High 
    CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 
    CWE: CWE-264 Permissions, Privileges, and Access Controls 
    MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
    Apache Tomcat, JBoss Web, and other products, allows remote attackers to
    cause a denial of service (infinite loop and CPU consumption) via a crafted
    Content-Type header that bypasses a loop's intended exit conditions. 
    •BID - 65400
    •BUGTRAQ - 20140625 NEW VMSA-2014-0007 - VMware product updates address
    security vulnerabilities in Apache Struts library
    •BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
    address security vulnerabilities
    •CONFIRM - http://advisories.mageia.org/MGASA-2014-0110.html
    •CONFIRM - http://svn.apache.org/r1565143
    •CONFIRM - http://tomcat.apache.org/security-7.html
    •CONFIRM - http://tomcat.apache.org/security-8.html
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21669554
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675432
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676092
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676401
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676403
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676405
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676410
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676656
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676853
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677691
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677724
    •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681214
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM -
    •CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0007.html
    •CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
    •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1062337
    •CONFIRM -
    •FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
    address security vulnerabilities
    •HP - HPSBGN03329
    •JVN - JVN#14876762
    •JVNDB - JVNDB-2014-000017
    •MANDRIVA - MDVSA-2015:084
    •MISC -
    •MISC -
    •MLIST - [commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons
    FileUpload and Apache Tomcat DoS
    •REDHAT - RHSA-2014:0400
    Vulnerable Software & Versions: (show all)
    CVE-2013-2185  suppress
    Severity: High 
    CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 
    CWE: CWE-20 Improper Input Validation 
    ** DISPUTED ** The readObject method in the DiskFileItem class in Apache
    Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application
    Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to
    write to arbitrary files via a NULL byte in a file name in a serialized
    instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly
    disputed by the Apache Tomcat team, although Red Hat considers it a
    vulnerability. The dispute appears to regard whether it is the
    responsibility of applications to avoid providing untrusted data to be
    deserialized, or whether this class should inherently protect against this
    •MLIST - [oss-security] 20130905 Re: CVE-2013-2185 / Tomcat
    •MLIST - [oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a
    duplicate of CVE-2013-2185
    •REDHAT - RHSA-2013:1193
    •REDHAT - RHSA-2013:1194
    •REDHAT - RHSA-2013:1265
    Vulnerable Software & Versions: (show all)
    •cpe:/a:apache:tomcat:7.0.39 and all previous versions
    Can anyone look into that?
    What would you recommend?
    Thank you,
    View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Security-vulnerabilities-in-BlazeDS-4-7-2-tp14175.html
    Sent from the Apache Flex Users mailing list archive at Nabble.com.

View raw message