flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Yang <flashflex...@gmail.com>
Subject Re: Security vulnerabilities in BlazeDS 4.7.2
Date Mon, 21 Nov 2016 16:27:22 GMT
As a user I would expect something like:


    <bean class="????.amf.io.RegexAMF3DeserializerSecurizer">
        <property name="pattern"

value="#{'(^com\.usercom1\..+|^com\.usercom2\..+|^flex\.messaging\.io\..+)'}"/>
    </bean>

and force users to understand and provide this pattern explicitly in
production deployment



On Mon, Nov 21, 2016 at 10:50 AM, olegkon <olegkon@gmail.com> wrote:

> Hi,
>
> We are in the process of upgrading BlazeDS in Flex+Java web app,
> because when we run OWASP Dependency Check 1.4.3, it showed a High
> Vulnerabilities in 1 file:
>
> Dependency  CPE  GAV  Highest Severity CVE Count CPE Confidence Evidence
> Count
>
> cre.war: blazeds-core-4.0.0.14931.jar cpe:/a:adobe:blazeds:4.0.0.14931
> High  2 LOW 7
>
> However, when we tried to do the same with Apache BlazeDS 4.7.2, we got
> even
> more of those:
>
> cre.war: flex-messaging-core-4.7.2.jar cpe:/a:apache:flex:4.7.2
> org.apache.flex.blazeds:flex-messaging-core:4.7.2  Medium  1 LOW 16
> cre.war: flex-messaging-opt-tomcat7-4.7.2.jar cpe:/a:apache:flex:4.7.2
> cpe:/a:apache:tomcat:7.0.0
> org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2  High  59 MEDIUM
> 16
>
> More details (on 4.7.2 - I only put High Severity, there is lots and lots
> of
> Mediums):
> cre.war: flex-messaging-opt-tomcat7-4.7.2.jar
>
>
> File Path:
> C:\web\cre\dist\cre.war\WEB-INF\lib\flex-messaging-opt-tomcat7-4.7.2.jar
> MD5: 8e188c61285fa087116df2a350571c1c
> SHA1: e34b3ab4b6d72384a44e15b992801bc4849b5412
>
> Evidence
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Identifiers
>
> •cpe: cpe:/a:apache:flex:4.7.2   Confidence:LOW   suppress
> •cpe: cpe:/a:apache:tomcat:7.0.0   Confidence:MEDIUM   suppress
> •maven: org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2
> Confidence:HIGHEST
>
> Published Vulnerabilities
>
>
> CVE-2016-6325  suppress
>
> Severity: High
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss
> Web
> Server 3.0, and JBoss EWS 2 uses weak permissions for (1)
> /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local
> users to gain privileges by leveraging membership in the tomcat group.
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> linuxbulletinoct2016-3090545.html
> •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
> •REDHAT - RHSA-2016:2045
> •REDHAT - RHSA-2016:2046
>
>
> Vulnerable Software & Versions:
> •cpe:/a:apache:tomcat:-
>
>
> CVE-2016-5425  suppress
>
> Severity: High
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS,
> Oracle Linux, and possibly other Linux distributions uses weak permissions
> for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root
> privileges by leveraging membership in the tomcat group.
> •BID - 93472
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> linuxbulletinoct2016-3090545.html
> •MISC -
> http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-
> Root-PrivEsc-Exploit-CVE-2016-5425.html
> •MISC -
> http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-
> Escalation.html
> •MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on
> RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
> OracleLinux, RedHat etc.)
> •REDHAT - RHSA-2016:2046
>
>
> Vulnerable Software & Versions:
> •cpe:/a:apache:tomcat
>
> CVE-2016-3092  suppress
>
> Severity: High
> CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> CWE: CWE-20 Improper Input Validation
>
> The MultipartStream class in Apache Commons Fileupload before 1.3.2, as
> used
> in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
> and 9.x before 9.0.0.M7 and other products, allows remote attackers to
> cause
> a denial of service (CPU consumption) via a long boundary string.
> •BID - 91453
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM - http://tomcat.apache.org/security-9.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> bulletinjul2016-3090568.html
> •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05204371
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05289840
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05324759
> •DEBIAN - DSA-3609
> •DEBIAN - DSA-3611
> •DEBIAN - DSA-3614
> •JVN - JVN#89379547
> •JVNDB - JVNDB-2016-000121
> •MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload
> information
> disclosure vulnerability
> •UBUNTU - USN-3024-1
> •UBUNTU - USN-3027-1
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
>
> CVE-2016-1240  suppress
>
> Severity: High
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-20 Improper Input Validation
>
> The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and
> tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and
> libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the
> tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu
> 14.04 LTS, and tomcat8 and libtomcat8-java packages before
> 8.0.32-1ubuntu1.2
> on Ubuntu 16.04 LTS allows local users with access to the tomcat account to
> gain root privileges via a symlink attack on the Catalina log file, as
> demonstrated by /var/log/tomcat7/catalina.out.
> •BUGTRAQ - 20161001 CVE-2016-1240 - Tomcat packaging on Debian-based
> distros
> - Local Root Privilege Escalation
> •DEBIAN - DSA-3669
> •DEBIAN - DSA-3670
> •MISC -
> http://legalhackers.com/advisories/Tomcat-DebPkgs-
> Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
> •SECTRACK - 1036845
> •UBUNTU - USN-3081-1
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0
> •...
>
>
>
>
>
> CVE-2016-0763  suppress
>
> Severity: Medium
> CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> The setGlobalContext method in
> org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
> before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
> whether ResourceLinkFactory.setGlobalContext callers are authorized, which
> allows remote authenticated users to bypass intended SecurityManager
> restrictions and read or write to arbitrary application data, or cause a
> denial of service (application disruption), via a web application that sets
> a crafted global context.
> •BUGTRAQ - 20160222 [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager
> Bypass
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725926
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725929
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725931
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM - http://tomcat.apache.org/security-9.html
> •CONFIRM -
> http://www.oracle.com/technetwork/security-advisory/
> cpuoct2016-2881722.html
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05150442
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05158626
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05324755
> •DEBIAN - DSA-3530
> •DEBIAN - DSA-3552
> •DEBIAN - DSA-3609
> •UBUNTU - USN-3024-1
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
>
> CVE-2014-0230  suppress
>
> Severity: High
> CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> CWE: CWE-399 Resource Management Errors
>
> Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9
> does not properly handle cases where an HTTP response occurs before
> finishing the reading of an entire request body, which allows remote
> attackers to cause a denial of service (thread consumption) via a series of
> aborted upload attempts.
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603770
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603775
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603779
> •CONFIRM - http://tomcat.apache.org/security-6.html
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> bulletinoct2015-2511968.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05054964
> •DEBIAN - DSA-3530
> •HP - HPSBOV03503
> •HP - HPSBUX03561
> •MLIST - [oss-security] 20150409 Apache Tomcat partial file upload DoS
> CVE-2014-0230
> •MLIST - [tomcat-announce] 20150505 [SECURITY] CVE-2014-0230: Apache Tomcat
> DoS
> •REDHAT - RHSA-2016:0595
> •REDHAT - RHSA-2016:0596
> •REDHAT - RHSA-2016:0597
> •REDHAT - RHSA-2016:0598
> •REDHAT - RHSA-2016:0599
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
> CVE-2014-0050  suppress
>
> Severity: High
> CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
> Apache Tomcat, JBoss Web, and other products, allows remote attackers to
> cause a denial of service (infinite loop and CPU consumption) via a crafted
> Content-Type header that bypasses a loop's intended exit conditions.
> •BID - 65400
> •BUGTRAQ - 20140625 NEW VMSA-2014-0007 - VMware product updates address
> security vulnerabilities in Apache Struts library
> •BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
> address security vulnerabilities
> •CONFIRM - http://advisories.mageia.org/MGASA-2014-0110.html
> •CONFIRM - http://svn.apache.org/r1565143
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21669554
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675432
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676092
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676401
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676403
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676405
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676410
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676656
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676853
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677691
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677724
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681214
> •CONFIRM -
> http://www.hitachi.co.jp/Prod/comp/soft1/global/security/
> info/vuls/HS14-015/index.html
> •CONFIRM -
> http://www.hitachi.co.jp/Prod/comp/soft1/global/security/
> info/vuls/HS14-016/index.html
> •CONFIRM -
> http://www.hitachi.co.jp/Prod/comp/soft1/global/security/
> info/vuls/HS14-017/index.html
> •CONFIRM -
> http://www.huawei.com/en/security/psirt/security-
> bulletins/security-advisories/hw-350733.htm
> •CONFIRM -
> http://www.oracle.com/technetwork/security-advisory/
> cpuoct2016-2881722.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
> •CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0007.html
> •CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
> •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1062337
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05324755
> •FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
> address security vulnerabilities
> •HP - HPSBGN03329
> •JVN - JVN#14876762
> •JVNDB - JVNDB-2014-000017
> •MANDRIVA - MDVSA-2015:084
> •MISC -
> http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-
> with-boundaries-loops-without-boundaries.html
> •MISC -
> http://packetstormsecurity.com/files/127215/VMware-
> Security-Advisory-2014-0007.html
> •MLIST - [commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons
> FileUpload and Apache Tomcat DoS
> •REDHAT - RHSA-2014:0400
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
> CVE-2013-2185  suppress
>
> Severity: High
> CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
>
> ** DISPUTED ** The readObject method in the DiskFileItem class in Apache
> Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application
> Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to
> write to arbitrary files via a NULL byte in a file name in a serialized
> instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly
> disputed by the Apache Tomcat team, although Red Hat considers it a
> vulnerability. The dispute appears to regard whether it is the
> responsibility of applications to avoid providing untrusted data to be
> deserialized, or whether this class should inherently protect against this
> issue.
> •MLIST - [oss-security] 20130905 Re: CVE-2013-2185 / Tomcat
> •MLIST - [oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a
> duplicate of CVE-2013-2185
> •REDHAT - RHSA-2013:1193
> •REDHAT - RHSA-2013:1194
> •REDHAT - RHSA-2013:1265
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.39 and all previous versions
>
>
> Can anyone look into that?
> What would you recommend?
>
> Thank you,
> Oleg.
>
>
>
>
>
>
> --
> View this message in context: http://apache-flex-users.
> 2333346.n4.nabble.com/Security-vulnerabilities-in-
> BlazeDS-4-7-2-tp14175.html
> Sent from the Apache Flex Users mailing list archive at Nabble.com.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message