openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Struberg <strub...@yahoo.de>
Subject Re: [CVE-2013-1768] Apache OpenJPA security vulnerability
Date Thu, 13 Jun 2013 06:33:28 GMT
+1

LieGrue,
strub




----- Original Message -----
> From: Romain Manni-Bucau <rmannibucau@gmail.com>
> To: dev@openjpa.apache.org
> Cc: 
> Sent: Wednesday, 12 June 2013, 23:15
> Subject: Re: [CVE-2013-1768] Apache OpenJPA security vulnerability
> 
> Hi
> 
> TomEE trunk relies on openjpa snapshot
> 
> With such an issue wonder of an early release (maybe a beta?)
> 
> Wdyt?
> Le 12 juin 2013 21:33, "Jeremy Bauer" <jrbauer@apache.org> a 
> écrit :
> 
>> 
>>  -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>> 
>>  CVE-2013-1768: Apache OpenJPA security vulnerability
>> 
>>  Severity: Important
>> 
>>  Vendor: The Apache Software Foundation
>> 
>>  Versions Affected:
>> 
>>  OpenJPA 1.0.0 to 1.0.4
>>  OpenJPA 1.1.0
>>  OpenJPA 1.3.0
>>  OpenJPA 1.2.0 to 1.2.2
>>  OpenJPA 2.0.0 to 2.0.1
>>  OpenJPA 2.1.0 to 2.1.1
>>  OpenJPA 2.2.0 to 2.2.1
>> 
>>  Description: Deserialization of a maliciously crafted OpenJPA object can
>>  result in an executable file being written to the file system. An
>>  attacker needs to discover an unprotected server program to exploit the
>>  vulnerability.  It then needs to exploit another unprotected server
>>  program to execute the file and gain access to the system.  OpenJPA
>>  usage by itself does not introduce the vulnerability.
>> 
>>  Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
>>  specification level should upgrade to the OpenJPA 1.2.3 release.  Users
>>  of OpenJPA using a release based upon the JPA 2.0 specification level
>>  should upgrade to the OpenJPA 2.2.2 release.  Users needing to stay on
>>  their current release should get the latest code from svn for the
>>  corresponding branch level or apply a source patch and build a new
>>  binary package.  Nightly snapshots of the latest source builds are also
>>  available for many branches.
>> 
>>  OpenJPA release branch levels and corresponding fix revisions:
>> 
>>  OpenJPA 1.0.x revision 1462558:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462558
>>  OpenJPA 1.1.x revision 1462512:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462512
>>  OpenJPA 1.2.x revision 1462488:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462488
>>  OpenJPA 1.3.x revision 1462328:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462328
>>  OpenJPA 2.0.x revision 1462318:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462318
>>  OpenJPA 2.1.x revision 1462268:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462268
>>  OpenJPA 2.2.1.x revision 1462225:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462225
>>  OpenJPA 2.2.x revision 1462076:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462076
>> 
>>  Example: An attacker creates a customized serialization of an OpenJPA
>>  object.  The attacker exploits an unprotected server program to execute
>>  the object.  The object includes logic that results in malicious trace
>>  being written to a file, such as a JSP.  The file containing malicious
>>  commands is written to a potentially vulnerable area of the system.  The
>>  attacker exploits a second unprotected server program to execute the
>>  file and gain access to the system.
>> 
>>  Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
>>  -----BEGIN PGP SIGNATURE-----
>>  Version: GnuPG v2.0.20 (MingW32)
>>  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>>  iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
>>  bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
>>  Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
>>  3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
>>  M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
>>  1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
>>  tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
>>  OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
>>  rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
>>  IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
>>  DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
>>  7iGIxMiN7yJ14RZoDsKw
>>  =LVgy
>>  -----END PGP SIGNATURE-----
>> 
>> 
> 

Mime
View raw message