apache-commons-fileupload symlink vulnerability CVE-2013-0248

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

apache-commons-fileupload symlink vulnerability CVE-2013-0248

Charlie Martin
Hi,

The current (v1.6.3) and previous releases of Axis2 contain the apache commons-fileupload-1.2.jar.

This jar is flagged as being vulnerable to CVE-2013-0248

Could anyone confirm if either:
  • This vulnerability is not applicable to the use of the jar in Axis2
  • If an update is planned

Details of the vulnerability: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248

Many thanks,
Charlie Martin


WebSphere MQ Development
IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.
Email: [hidden email]
Tel: +44 (0) 1962 815860, Internal: 37245860


Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Reply | Threaded
Open this post in threaded view
|

RE: apache-commons-fileupload symlink vulnerability CVE-2013-0248

Martin Gainty
Mr Martin

upgrade to commons.fileupload.version 1.3 in both
modules/fastinfoset/pom.xml and
modules/parent/pom.xml
will mitigate CVE-2013-0248


modules/fastinfoset/pom.xml:
<! -- fastinfoset dependency
CVE-2013-0248 vulnerability averted by specifying version -->
 <dependency>
        <groupId>commons-fileupload</groupId>
       <artifactId>commons-fileupload</artifactId>
       <version>1.3</version> <!-- commons-fileupload versions 1.0 - 1.2.2 are subject to CVE-2013-0248 -->
        </dependency>

modules/parent/pom.xml:
 <!-- commons-fileupload versions 1.0 - 1.2.2 are subject to CVE-2013-0248 upgrade to 1.3 to mitigate -->
        <!-- commons.fileupload.version>1.2</commons.fileupload.version -->
        <commons.fileupload.version>1.3</commons.fileupload.version>


Andreas please confirm

Thanks to Mr Martin for detecting this vulnerability
Martin --
______________________________________________
 _____ _          _____             _          _____     ___ _                        _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                                                                    




To: [hidden email]
Subject: apache-commons-fileupload symlink vulnerability CVE-2013-0248
From: [hidden email]
Date: Thu, 23 Jul 2015 11:41:06 +0100

Hi,

The current (v1.6.3) and previous releases of Axis2 contain the apache commons-fileupload-1.2.jar.

This jar is flagged as being vulnerable to CVE-2013-0248

Could anyone confirm if either:
  • This vulnerability is not applicable to the use of the jar in Axis2
  • If an update is planned

Details of the vulnerability: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248

Many thanks,
Charlie Martin


WebSphere MQ Development
IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.
Email: [hidden email]
Tel: +44 (0) 1962 815860, Internal: 37245860


Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Reply | Threaded
Open this post in threaded view
|

Re: apache-commons-fileupload symlink vulnerability CVE-2013-0248

Andreas Veithen-2
In reply to this post by Charlie Martin
For this vulnerability to be exploitable, the following conditions must be met:

1) The attacker must have shell access to the machine on which Axis2
runs with any account. Obviously the vulnerability is interesting only
if that account is unprivileged and different from the account Axis2
runs as.
2) Axis2 must be configured to use the servlet based HTTP transport
(because commons-fileupload depends on the servlet API).
3) The temporary directory as configured by the java.io.tmpdir system
property must be writable to the attacker. In practice, this means
world writable, as is the case if java.io.tmpdir is set to /tmp.
4) MultipartFormDataBuilder must be enabled. This is the case for the
default axis2.xml config file distributed with Axis2.
5) At least one Web service must be deployed on Axis2. [I'm not 100%
sure here, but this condition is trivially satisfied in most cases
anyway]

For the standalone Axis2 server, condition 3 is satisfied, but 2 is
not. Tomcat sets java.io.tmpdir to a directory that is writable only
to the user the Tomcat instance runs as. Therefore condition 2 is not
satisfied, and Axis2 deployments on Tomcat are not vulnerable. I would
expect that any decent application server behaves similar to Tomcat. A
notable exception is IBM WebSphere Application Server which doesn't
change java.io.tmpdir, so that it points to the default /tmp. This
would mean that Axis2 applications deployed on WAS will likely be
vulnerable. Note that I believe that the Axis2 version that is part of
the JAX-WS implementation in the WAS runtime is not vulnerable because
it doesn't enable MultipartFormDataBuilder.

Also note that the mitigation strategy is trivial: upgrade
commons-fileupload or disable MultipartFormDataBuilder.

Andreas

On Thu, Jul 23, 2015 at 11:41 AM, Charlie Martin
<[hidden email]> wrote:

> Hi,
>
> The current (v1.6.3) and previous releases of Axis2 contain the apache
> commons-fileupload-1.2.jar.
>
> This jar is flagged as being vulnerable to CVE-2013-0248
>
> Could anyone confirm if either:
>
> This vulnerability is not applicable to the use of the jar in Axis2
> If an update is planned
>
>
> Details of the vulnerability:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248
>
> Many thanks,
> Charlie Martin
>
>
> WebSphere MQ Development
> IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.
> Email: [hidden email]
> Tel: +44 (0) 1962 815860, Internal: 37245860
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]