Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30881
HistoryJun 17, 2014 - 12:00 a.m.

[oss-security] CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE

2014-06-1700:00:00
vulners.com
113

EPSS

0.973

Percentile

99.9%

Hi All

I have raised this twice with [email protected], on 30 April and June 3. I have received no response either time, therefore I am raising it on oss-security.

CVE-2014-0114 describes a well-known issue in Apache Struts 1:

"It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions."

The root cause of this flaw is that commons-beanutils exposes the class property by default, with no mechanism to disable access to it. Struts 1 is considered EOL upstream, and upstream has not yet shipped a patch for this flaw. Red Hat has shipped a patch, which was submitted upstream as a pull request:

https://github.com/apache/struts1/pull/1

This patch disables access to the class property in struts itself, rather than in commons-beanutils. Other frameworks built on commons-beanutils, such as Apache Stripes, are likely to expose similar issues. I think it would be a good idea to also assign a separate CVE ID to commons-beanutils, and ship a patch for commons-beanutils itself. The commons-beanutils patch could be inherited by other frameworks that may not have the resources to produce their own patch.

commons-beanutils 1.9.2 has now shipped:

http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt

Incorporating a patch for this issue:

https://issues.apache.org/jira/browse/BEANUTILS-463

"A specialized BeanIntrospector implementation has been added which allows suppressing properties. There is also a pre-configured instance removing the class property from beans. Some notes have been added to the user's guide."

I think it would be appropriate to assign a CVE ID to this issue in commons-beanutils, and publish an advisory. This would provide framework developers with the necessary information and impetus to upgrade to commons-beanutils 1.9.2 and make use of SuppressPropertiesBeanIntrospector.

Thanks

David Jorm / Red Hat Product Security