Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerabilities in the latest stable release 0.5.3 #577

Closed
gavinkflam opened this issue Jun 19, 2018 · 3 comments
Closed

Critical vulnerabilities in the latest stable release 0.5.3 #577

gavinkflam opened this issue Jun 19, 2018 · 3 comments

Comments

@gavinkflam
Copy link

Description

There are two critical (9.8) and one high (7.5) severity vulnerabilities in the latest stable release. They are listed as follow.

  • CVE-2016-1000031 (9.8 Critical) - link
    Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
    This vulnerability is affecting commons-fileupload 1.3.1, which is a transitive dependency from ring-core 1.5.1.
  • CVE-2016-3092 (7.5 High) - link
    The MultipartStream class in Apache Commons Fileupload before 1.3.2 allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
    This vulnerability is affecting commons-fileupload 1.3.1, which is a transitive dependency from ring-core 1.5.1.
  • CVE-2017-5929 (9.8 Critical) - link
    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
    This vulnerability is affecting logback-core 1.1.3, which is a transitive dependency from immutant web 2.1.4.

A quick check revealed that:

  • ring-core 1.6.3 has already updated to the latest commons-fileupload.
  • immutant web 2.1.10 has already updated to the latest wunderboss-web-undertow. However, the latest wunderboss-core is still depended on the outdated logback-core. I shall report the issue to them afterwards.
  • The unreleased 0.5.4 should have eliminated the two commons-fileupload issues.

Expected Behavior

The vulnerabilities should be eliminated in a stable release.

Thus, I propose finalizing and publishing the 0.5.4 release as soon as possible.

Actual Behavior

The vulnerabilities are affecting the latest stable release 0.5.3.

Steps to reproduce

N/A.

Environment

N/A.

Operating System (including version).

N/A.

Your current Leiningen or Boot version (lein --version or boot --version)

N/A.

Pedestal version

0.5.3
@gavinkflam
Copy link
Author

gavinkflam commented Jun 19, 2018
edited
Loading

I have just reported the vulnerability in the WunderBoss and Immutant community.

WunderBoss issue tracker: projectodd/wunderboss#19
Immutant issue tracker: https://issues.jboss.org/browse/IMMUTANT-642

@ohpauleez
Copy link
Member

Thanks for reporting the issue @gavinkflam and raising awareness. I had also seen these crop up via OWASP's dependency check. Releases are always gated with trial deployments. Snapshot versions of Pedestal master have been running in prod/prod-like environments to ensure everything is working as expected, and so far things have been great.

We're going to address the few issues around test, context-path, url-for, and a small change to the tracing interceptor before cutting the release.

Until then, it's recommended that you run Pedestal master if your service is exposed to public traffic. Also note that these vulnerabilities have narrow attack surfaces -- tightly controlling your interceptor chain, bind hosts, and system/lib configurations goes a long way to keeping things locked down.

@ohpauleez
Copy link
Member

Pedestal 0.5.4 has been released to clojars.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ohpauleez @gavinkflam