openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: [CVE-2013-1768] Apache OpenJPA security vulnerability
Date Wed, 12 Jun 2013 21:15:12 GMT
Hi

TomEE trunk relies on openjpa snapshot

With such an issue wonder of an early release (maybe a beta?)

Wdyt?
Le 12 juin 2013 21:33, "Jeremy Bauer" <jrbauer@apache.org> a écrit :

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2013-1768: Apache OpenJPA security vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
> OpenJPA 1.0.0 to 1.0.4
> OpenJPA 1.1.0
> OpenJPA 1.3.0
> OpenJPA 1.2.0 to 1.2.2
> OpenJPA 2.0.0 to 2.0.1
> OpenJPA 2.1.0 to 2.1.1
> OpenJPA 2.2.0 to 2.2.1
>
> Description: Deserialization of a maliciously crafted OpenJPA object can
> result in an executable file being written to the file system. An
> attacker needs to discover an unprotected server program to exploit the
> vulnerability.  It then needs to exploit another unprotected server
> program to execute the file and gain access to the system.  OpenJPA
> usage by itself does not introduce the vulnerability.
>
> Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
> specification level should upgrade to the OpenJPA 1.2.3 release.  Users
> of OpenJPA using a release based upon the JPA 2.0 specification level
> should upgrade to the OpenJPA 2.2.2 release.  Users needing to stay on
> their current release should get the latest code from svn for the
> corresponding branch level or apply a source patch and build a new
> binary package.  Nightly snapshots of the latest source builds are also
> available for many branches.
>
> OpenJPA release branch levels and corresponding fix revisions:
>
> OpenJPA 1.0.x revision 1462558:
> http://svn.apache.org/viewvc?view=revision&revision=1462558
> OpenJPA 1.1.x revision 1462512:
> http://svn.apache.org/viewvc?view=revision&revision=1462512
> OpenJPA 1.2.x revision 1462488:
> http://svn.apache.org/viewvc?view=revision&revision=1462488
> OpenJPA 1.3.x revision 1462328:
> http://svn.apache.org/viewvc?view=revision&revision=1462328
> OpenJPA 2.0.x revision 1462318:
> http://svn.apache.org/viewvc?view=revision&revision=1462318
> OpenJPA 2.1.x revision 1462268:
> http://svn.apache.org/viewvc?view=revision&revision=1462268
> OpenJPA 2.2.1.x revision 1462225:
> http://svn.apache.org/viewvc?view=revision&revision=1462225
> OpenJPA 2.2.x revision 1462076:
> http://svn.apache.org/viewvc?view=revision&revision=1462076
>
> Example: An attacker creates a customized serialization of an OpenJPA
> object.  The attacker exploits an unprotected server program to execute
> the object.  The object includes logic that results in malicious trace
> being written to a file, such as a JSP.  The file containing malicious
> commands is written to a potentially vulnerable area of the system.  The
> attacker exploits a second unprotected server program to execute the
> file and gain access to the system.
>
> Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.20 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
> bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
> Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
> 3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
> M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
> 1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
> tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
> OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
> rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
> IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
> DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
> 7iGIxMiN7yJ14RZoDsKw
> =LVgy
> -----END PGP SIGNATURE-----
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message