[CVE-2019-0195] Apache Tapestry vulnerability disclosure

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE-2019-0195] Apache Tapestry vulnerability disclosure

Thiago H de Paula Figueiredo
CVE-2019-0195: File reading Leads Java Deserialization Vulnerability
Severity: important
Vendor: The Apache Software Foundation
Versions affected: all Apache Tapestry versions between 5.4.0, including
its betas, and 5.4.3

Description:
Manipulating classpath asset file URLs, an attacker could guess the path to
a known file in the classpath and have it downloaded. If the attacker
found the file with the value of the tapestry.hmac-passphrase configuration
symbol, most probably the webapp's AppModule class, the value of this
symbol could be used to craft a Java deserialization attack, thus running
malicious injected Java code. The vector would be the t:formdata parameter
from the Form component.

Mitigation:
Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
version.

Credit:
Ricter Zheng

--
Thiago H. de Paula Figueiredo
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure

Nourredine K.
Hello Thiago,

Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ?
I think we should create a dedicated jira ticket for each CVE to allow
security dev track Tapestry CVE more easily.

Regards,

Nouredine

Le ven. 13 sept. 2019 à 16:11, Thiago H. de Paula Figueiredo <
[hidden email]> a écrit :

> CVE-2019-0195: File reading Leads Java Deserialization Vulnerability
> Severity: important
> Vendor: The Apache Software Foundation
> Versions affected: all Apache Tapestry versions between 5.4.0, including
> its betas, and 5.4.3
>
> Description:
> Manipulating classpath asset file URLs, an attacker could guess the path to
> a known file in the classpath and have it downloaded. If the attacker
> found the file with the value of the tapestry.hmac-passphrase configuration
> symbol, most probably the webapp's AppModule class, the value of this
> symbol could be used to craft a Java deserialization attack, thus running
> malicious injected Java code. The vector would be the t:formdata parameter
> from the Form component.
>
> Mitigation:
> Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
> version.
>
> Credit:
> Ricter Zheng
>
> --
> Thiago H. de Paula Figueiredo
>
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure

Thiago H de Paula Figueiredo
On Mon, Oct 7, 2019 at 11:35 AM Nourredine K. <[hidden email]>
wrote:

> Hello Thiago,
>

Hello!


> Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ?
>

Versions affected: all Apache Tapestry versions between 5.4.0, including
its betas, and 5.4.3


> I think we should create a dedicated jira ticket for each CVE to allow
> security dev track Tapestry CVE more easily.
>
> Regards,
>
> Nouredine
>
> Le ven. 13 sept. 2019 à 16:11, Thiago H. de Paula Figueiredo <
> [hidden email]> a écrit :
>
> > CVE-2019-0195: File reading Leads Java Deserialization Vulnerability
> > Severity: important
> > Vendor: The Apache Software Foundation
> > Versions affected: all Apache Tapestry versions between 5.4.0, including
> > its betas, and 5.4.3
> >
> > Description:
> > Manipulating classpath asset file URLs, an attacker could guess the path
> to
> > a known file in the classpath and have it downloaded. If the attacker
> > found the file with the value of the tapestry.hmac-passphrase
> configuration
> > symbol, most probably the webapp's AppModule class, the value of this
> > symbol could be used to craft a Java deserialization attack, thus running
> > malicious injected Java code. The vector would be the t:formdata
> parameter
> > from the Form component.
> >
> > Mitigation:
> > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
> > version.
> >
> > Credit:
> > Ricter Zheng
> >
> > --
> > Thiago H. de Paula Figueiredo
> >
>


--
Thiago