vulnerability reports

URGENT AND CRITICAL: REMOTE CODE EXECUTION IN VARIOUS SPRING COMPONENTS NEEDS IMMEDIATE ATTENTION

bbossola, , Leave a comment

Red alert! All enterprise software maintainers of software using Java libraries need to check if their systems are affected by the newly discovered vulnerabilities “Spring4Shell” since its announcement, between 29th and 30th March, 2022, affecting various Spring components.

CVE-2022-22963

Vulnerability Score: 9.5 (CVSS: 3.0 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)
Platform: Java
Components: org.springframework.cloud:spring-cloud-function-core, org.springframework.cloud:spring-cloud-function-context
Affected versions: 3.1.6, 3.2.2 and older unsupported versions
Fixed in version: 3.1.7, 3.2.3

CVE-2022-22965

Vulnerability Score: 9.5 (CVSS:3.0 / AV: N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)
Platform: Java
Components: org.springframework:spring-beans
Affected versions: all versions before 5.2.20, all versions before 5.3.18 
Fixed in version: 5.2.20, 5.3.18

Please note that this affects also the spring-framework package and the spring-boot package, that both use the offending libraries. New versions of such packages have been made available. You can upgrade spring-framework to version 5.2.20 or 5.3.18, and you can upgrade spring-boot to version 2.5.12 or 2.6.6 (note that spring-boot itself includes spring-framework, no other upgrades necessary).

Which systems does these affect?

CVE-2022-22963 affects any project built using a vulnerable version of Spring Cloud, a framework that provides tools for developers to quickly build some of the common patterns in distributed systems. The “functions” part is a subsystem used to implement serverless functions like AWS lambda or Google Cloud Functions: if you are using such subsystem you are potentially affected.

CVE-2022-22965 affects any project built using a vulnerable version of Spring Framework, Spring Boot or the library spring-beans. A successful attack, however, can only be conducted undere these conditions:

  • JDK 9 or higher is used as the runtime environment
  • Apache Tomcat is used as the Servlet container
  • The application is packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • There is a dependency with spring-webmvc or spring-webflux, or an endpoint is used with DataBinder enabled

Please note however that analysis are undergoing and the nature of the vulnerability is quite general: we suggest you keep monitoring this page for further updates.


Why do these threats demand an urgent patch?

Both vulnerabilities allows the attacker to remotely execute code on your system, with the ability to gain complete control of the underlying servers. It’s a simple exploit, as it requires only to send a crafted HTTP header in a request in order to execute code on the remote host. These vulnerabilities are actively exploited in the wild.


How can I check if my system is affected?

If you maintain any software using Java libraries, check if you are using any Spring Cloud Function library. The  Meterian BOSS scanner can be used to scan your codebase to identify all dependent software libraries.  If it is using the offending package, it will find the affected vulnerable versions and provide more information on how to mitigate this risk.

If you are a developer and you have access to the code, you can simply execute this command from your terminal:

CVE-2022-22963:

$ mvn dependency:tree | grep spring-cloud-function | grep compile
[INFO] +- org.springframework.cloud:spring-cloud-function-core:jar:3.1.2:compile

If you see any response lines, check the version: if it’s below 3.1.7 (as in the above example) or, if using 3.2.x, below 3.2.3, you may be affected.

CVE-2022-22965:

$ mvn dependency:tree | grep spring-beans | grep compile
[INFO] +- org.springframework:spring-beans:jar:5.3.11:compile

If you see any response lines, check the version: if it’s below 5.3.18 (as in the above example) or, if using 5.2.x, below 5.2.20, you may be affected.


My system has the vulnerable spring cloud function library — how can I mitigate the risk?

There are now patched versions of the affected components that resolve the issues, they are available via the standard Maven repositories. Upgrade the offending packages using the patched versions, as described in this article.

If the library is coming from a transitive dependency (it’s not one of your direct dependencies, but a dependency of them) you can just include an override in your root pom.xml (or where applicable) and retest that it’s not there anymore with the command shown before.

CVE-2022-22963:

    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-function-core</artifactId>
        <version>3.1.7</version>
    </dependency>

Please be aware that there are multiple packages rooted in "spring-cloud-function": you will need to upgrade all of them, in particular "spring-cloud-function-context" which is also directly affected.

CVE-2022-22965:

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-beans</artifactId>
        <version>5.3.18</version>
    </dependency>

Please be aware that you may need / may be better to upgrade the parent pom of the project using an unaffected version of spring boot / spring framework (see at the start of the article).


What can I do to proactively protect from such vulnerabilities?

We always suggest you regularly scan your software code bases. 

  • To do a scan from the command line using the Meterian CLI scanner
  • To include this as part of your continuous improvement efforts to build resilience into your software development lifecycle, see our documentation on the various integrations we support with GitHub ActionsAzure DevOps Pipelines, and others.


Are Meterian applications affected by the spring vulnerability?

We have verified our applications and none are using the offending packages in a vulnerable configuration. We maintain a continuous monitoring system to ensure our development operations are up to date with the latest known vulnerabilities in software components. Given the nature of this vulnerability we will be running a specific monitoring for the following days, while more details are unfolded in regards to those vulnerabilities.   

Related references

CVE-2022-22963

CVE-2022-22965

URGENT AND CRITICAL: REMOTE CODE EXECUTION IN VARIOUS SPRING COMPONENTS NEEDS IMMEDIATE ATTENTION

An introduction to the world of SBOMs

viviandufour, , , Leave a comment 
3 minute read

We are sure many of you have been hearing about SBOMs. Nowadays, software include some components with code written by your own developers, but 80-90% of the code is typically from third-party developers. How can you know who produced what and when it absolutely needs to be replaced? Since Meterian has been managing SBOMs for awhile, we’re happy to share our know-how so you can consider a comprehensive strategy to manage your open source software supply chain. 

Photo by Raymond Rasmusson on Unsplash

What is an SBOM?

SBOM is an acronym that means Software Bill Of Materials. The concept originates from the manufacturing industry, where a bill of materials lists dependent components in machinery. A SBOM lists all third-party components present in your application. A good SBOM also lists the licences used by each component and, when possible, the specific copyright attribution. An excellent SBOM can also provide further information, such as possible relationships between those components to better understand any supply chain risk. You may have encountered SBOMs in the past, known as “third party notice” documents created to manage legal requirements, such as the one in the image below. 

Altova Third Party Software License Notice

However, modern SBOMs are “machine-readable”.  They follow a strict specification that can be understood by a computer. 

What machine-readable formats are used to publish SBOMs?

The most commonly used formats to define a SBOM are:

  • CycloneDX, a lightweight open-source standard designed for use in application security context and supply chain component analysis. This originated from within the OWASP community.
  • SPDX, an open source format with origins in the Linux Foundation, slightly more complex, and recently approved as ISO/IEC standard in version 2.2.1 as ISO IEC 5962:2021.
  • SWID, another ISO/IEC industry standard used by various commercial software publishers.

All these formats support a variety of use cases, but the first two (CycloneDX and SPDX) are the most versatile. Due to SPDX’s complexity, we think CycloneDX has an edge at this time, but only time can tell which of these formats will be the winner. To learn more about these formats you can also read the official NTIA publication, which drills down into the matter.

Why are SBOMs important? And how are they useful?

As a consumer of software, the main reason why you want to have access to the SBOMs of the systems you are using is to manage risks. When a very commonly used software component becomes vulnerable: how do you know what you need to patch and which subsystems are at risk? This is exactly what happened with the recent Log4Shell debacle. The logging library called Log4j, was suddenly exploitable with a very simple and repeatable attack. How do you know where it is? Which one of the systems you are using is suddenly at risk?  With a correctly managed archive of SBOMs, getting this information reduces to a very simple lookup task. Without it, it can be a real nuisance —a time consuming information hunt that disrupts everyone’s work flow.

As a producer of software, instead, you want to preserve and maintain an archive of all the SBOMs of the system you produce so that you can create and distribute timely patches to your customers. Having a systematic and comprehensive analysis of your most commonly used software packages would be useful indeed. Some companies were very fast in releasing patches to their customers, while others were extremely slow, mostly because they did not have the information.  You probably want to be in the first group of companies 🙂

Governments are also mandating the need for use of SBOMs, realising that software security needs to be regulated.  The U.S. Executive Order 14028 that mandates all federal agencies to require SBOMs from their suppliers.  This not only impacts the companies that have direct sales to the US government but also their own software suppliers.  As so many systems and devices have been connecting to the Internet to send and receive information, consequently our digital world relies on a software supply chain.  This “ripple effect” will be significant for many industries. 

It’s important to consider how software products you produce can meet basic security requirements and how the associated software security information is produced and managed in your organisation.   Similar legislation has already been proposed in Europe since the publication of  “Guidelines for securing the IoT” by ENISA (hint: SBOMs are required) and the ETSI EN 303 645 global standard for consumer IoT security, which is based on the UK government’s Code of Practice.  See also the recently published Product Security and Telecommunications Infrastructure (PSTI) Bill and more to come from the UK government to improve the UK’s cyber resilience.

How should SBOMs be handled?

Very carefully :), because an SBOM contains the full list of the “ingredients” of your system or application. While open-source projects happily share this information to the world, the same does not apply to private companies. In fact, a malicious actor that gets hold of the SBOM of your system can then check if you are using any vulnerable components. There are public vulnerability databases, such as the NVD, which are very popular. Someone can simply browse in there and compose a list of possible attacks, try them, and maybe get lucky.  Probably 9 out of 10 vulnerabilities affecting components in your system won’t be exploitable, but having the ability to go through the whole list, certainly makes the task of finding an exploit much easier. 

There’s no need to keep SBOMs a complete secret, however, as long as a few simple principles are kept in check:

  • SBOMs need to be shared securely,
  • they need to be accessed only by the authorised parties, across organisational boundaries, and
  • they should not be tampered with.

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  

Why bother with SBOMs now?

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  In our hyper connected world, comprehensive coverage of components is important for preventative strategies and threat detection in supply chain attacks.  Therefore, implementing SBOM management proactively now will be worth something to your organisation when the next critical vulnerability appears and stand your organisation in good stead. All good collections are worth organising. How valuable is your collection of software?

Photo by Susan Q Yin on Unsplash

Get started with SBOMs

The need for SBOMs is already high. Level up your open source software security and implement this requirement. Check out the SBOM capabilities in Meterian-X platform’s approach to DevSecOps.

An introduction to the world of SBOMs

Urgent and Critical: Remote Code Execution in Apache Log4j needs immediate upgrade

viviandufour, , , , Leave a comment

Updated: 31 Dec 2021

5 minute read

This is a call to arms. All enterprise software maintainers of software using Java libraries need to check if their systems are affected by the newly discovered Apache Log4j vulnerability since its announcement on Dec 9, 2021. Since then several security vulnerabilities in the wild have been discovered.

CVE-2021-44832

Vulnerability Score: 6.6 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: 2.0-alpha7 to 2.17.0 inclusive, except 2.3.2 and 2.12.4.
Fixed in version: 2.17.1

CVE-2021-44228

Vulnerability Score: 10.0 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions before 2.14.1, inclusive
Fixed in version: 2.15.0 but upgrade to 2.17.0 is required because of CVE-2021-45105

CVE-2021-45046

Vulnerability Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) (updated 18/12/2021)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions up to 2.15.0, excluding 2.12.2
Fixed in version: 2.16.0 but upgrade to 2.17.0 is required because of CVE-2021-45105

CVE-2021-45105

Vulnerability Score: 7.5 (CVSS: 3.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions from 2.0-beta9 to 2.16.0, inclusive
Fixed in version: 2.17.0


Which systems does this affect?

Apache Log4j is probably the most common library used for logging in the Java ecosystem with over 400,000 downloads from its GitHub project. It is used in Java applications to log system and user activities, so there’s a serious possibility your Java software is using it. It is used, internally, by many other Apache frameworks such as Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo. It is also actively used in many other open source projects, like Redis, ElasticSearch, Elastic Logstash, Ghidra and many others.

Among all these open source components, one needs a special mention: Apache Struts. Yes, it is actively using Log4j. There exists a potential to trigger high-impact attacks against a wide variety of apps and services, similar to the scale witnessed in 2017. At that time, due to the vulnerability exploited in the Equifax megahack, 140 million customers’ data in North America and UK were breached. The latest version of Apache Struts, 2.5.28, uses by default Log4j version 2.12.21, which is vulnerable to this attack. This time, however, the scope for damage could be even wider, as Apache Struts is one of many Apache frameworks that use Log4j. 

The Java ecosystem is in very broad use in enterprise systems and web apps and many mainstream services are likely to be vulnerable. Therefore, software maintainers and developers should pay close attention to this vulnerability. 

This has been preliminary filed as CVE-2021-44228, and a subsequent vulnerability was also flagged, now filed under CVE-2021-45046.


Why does this threat demand an urgent patch?

This vulnerability allows the attacker to remotely execute code on your system, with the ability to gain complete control of the underlying servers.

This is actively exploited on the internet now and there is already a simple POC (proof of concept) available on the internet that explains how to do it. 

From https://www.wired.com/story/log4j-flaw-hacking-internet/:

“All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.  […]Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.”

If you maintain an enterprise system using Java software, you would need to update all affected applications, whether they are maintained directly by your organisation or your supplier organisation.

Within 2 days of the 2017 vulnerability being announced, several systems around the world were breached by exploiting the software weakness.  We do not want more cyber breaches of such scale and all need to react quickly to patch vulnerable systems.


How can I check if my system is affected?

If you maintain any software using Java libraries, check if you are using Apache Log4j.  Meterian BOSS scanner can be used to scan your codebase to identify all dependent software libraries.  If it is using Log4j, it will find the affected vulnerable versions and provide more information on how to mitigate this risk.

If you are a developer and you have access to the code, you can simply execute this command from your terminal:

$ mvn dependency:tree | grep log4j-core | grep compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.12.1:compile

If you see any response lines, check the version: if it’s below 2.16.0 (as in the above example) you may be affected.


My system has the vulnerable log4j library — how can I mitigate the risk?

There is a patched version of the library that resolves the issue.  Released by Apache Software Foundation, the solution is to immediately upgrade log4j to the latest log4j version 2.16.0.  The fixed version is available via Maven

If the library is coming from a transitive dependency (it’s not one of your direct dependencies, but a dependency of them) you can just include an override in your root pom.xml (or where applicable) and retest that it’s not there anymore with the command shown before:

    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.16.0</version>
    </dependency>

A set of mitigations, specific to the version you are using, are also available on the Apache Log4j website. The Apache Struts team provided specific advice on how to handle the issue.

If you are using an external product that runs with Java, you can also protect your systems by launching the JVM with this special parameter:

-Dlog4j2.formatMsgNoLookups=true

This is useful for tools like Jenkins, where you have control of the installation but you do not have control of the code, but please note that this does not protect against the latest CVE.


What can I do to proactively protect from such vulnerabilities?

We always suggest you regularly scan your software code bases. 


Are Meterian applications affected by the log4j vulnerability?

No. We have verified our applications and none are using log4j.  We maintain a continuous monitoring system to ensure our development operations are up to date with the latest known vulnerabilities in software components.   

Related references

Urgent and Critical: Remote Code Execution in Apache Log4j needs immediate upgrade

The Rising Role of Cyber Security in Sustainable Development and Growth

Elizabeth LaffoyLeave a comment

Last updated: 07/07/2021

12 minute read

Photo by Kervin Edward Lara on Pexels.com

The topic of sustainability is unmissable at the moment. As the urgency of the situation grows, it continues to demand attention from various sectors and industries within society. You may wonder where the cyber security industry fits into all of this. Whilst traditionally from very different worlds, they are united through the characteristics of constant innovation and the capacity to bring about real change for the better. Certainly, cyber security has a bigger role to play in the overarching battle for a more sustainable world than one may initially think. 

The Industry

As around two thirds of greenhouse gas emissions world wide are associated with burning fossil fuels1, renewable energy is a good place to start. The UK currently has the largest number of offshore wind resources in the world, equating to about 10GW in operation outside of the border2. Infrastructure such as this pushes us one step closer to meeting the UK’s target of reaching net zero emissions by 20502. It’s not just the UK that has set the ball rolling in the fight against greenhouse emissions, our friends across the pond are aiming for no electricity sector carbon emissions by 2035— as outlined by Biden3. So, whilst this growing industry means great things for our hopes of preserving the world we live in, mass investment means it is also shaping up to be a very lucrative market for cyber criminals to direct their efforts towards. Jim Guinn, global managing director for cyber security in energy, chemicals, utilities and mining at Accenture states, “The cybersecurity conversation in the renewable energy engineering and construction business is almost nonexistent today.”3 It is imperative that an industry gaining traction as quickly as this one protects itself with the necessary defense measures against cyber attacks.

How exactly are renewable energy plants made vulnerable to cyber hackers?

As mentioned before, sustainability shares close ties with new innovation. Renewables depend on control systems and distribution networks supported by technology. As many sources of renewable energy, such as wind and solar power are not readily available 24/7 like fossil fuels are— they require storage previsions that are also underpinned by technology4. IoT plays a huge role in the remote monitoring, control and regulation of off-shore wind turbines5. As we know, more than 75% of the code in use that makes these technologies a reality is open source, putting open source components smack bang in the middle of the sustainability conversation. However, older wind farms and their communication systems were never designed with the “security by design” mindset like the IEC 62443 standard6, similar to the GDPR principle7. As stated by Jim Guinn “renewables have lax cybersecurity standards, as they are an industry that may be more focused on building first and leaving cybersecurity as an afterthought”3.

Past attacks

A first example in which renewable energy facilities became victims of cyber attacks was the 2014 DragonFly hack8. The cyber criminal group used Remote Access Trojans (RAT) named Backdoor.Oldrea and Trojan.Karagany to infiltrate energy grid operators, major electricity generation firms, petroleum pipeline operators, and Energy industry industrial control system (ICS) equipment manufacturers located in the United States, Spain, France, Italy, Germany, Turkey, and Poland. The hackers had been present in systems since 2011 before detection. Although reports indicate that the overarching aim of the hack was to gather intelligence, later investigation suggested it also had the capacity to take control of physical systems themselves. 

A second example in which renewable energy facilities have fallen victim to cyber attack was the SPower hack of 2019. Unfortunately, the group gained the title of being the first U.S. provider of solar and wind renewable energy to have been the victim of a cyber-attack. A hacker used a vulnerability in a Cisco firewall to interrupt the connection between sPower’s wind and solar power generation installations and the company’s main command center9

More recently, Colonial Pipeline’s hack10– reported on 7th May 2021 fell victim to a cyber attack, highlighting just how seriously energy supplies can be affected by cyber criminal organisations. As a result of ransomware, one of the U.S’ biggest pipelines was forced to shut down operations11. In the subsequently released statement it was revealed that after a 90M bitcoin payout, Colonial Pipeline said that remediation is ongoing and each system is being worked on in an “incremental approach”12. This attack compromised around 45% of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. Whilst the energy jeopardised in this case was not renewable, Jonathan White, director of NREL’s cybersecurity program office highlighted that “As the penetration of renewable generation and EV charging stations increases in the future, the consequence of a successful attack is likely to be similar in aggregate to those of a successful attack to a natural gas, coal or nuclear plant today”3. Thus, a cyber attack such as the one launched on Colonial Pipeline gives a worrying insight into the potential damage that could be launched on the renewable energy sector. 

Risks for the future

After using the Meterian web scanner to evaluate the security of some major UK energy suppliers, we were able to see that similar issues are being faced. For example, the UK’s biggest supplier of energy, British Gas received a security score of 0 out of a best possible 100. Our report indicates that they currently have components in use that pose a threat to their system, as well as components in use with undeclared licenses.

Again, after scanning https://firstlightfusion.com/, one of the UK’s leading renewable energy suppliers, we found 2 high threat level vulnerabilities and 3 medium threat level vulnerabilities, as well as components in use with undeclared licenses. 

As this sector grows in both relevance and monetary value, there is a need for adequate cyber security that is growing in unison. According to industry growth trajectories, the renewable energy sector is set to become a big target of cyber hackers. As shown in this blog, experts have not been afraid to warn that more needs to be done to reinforce the security of renewable plants. The need is made even more important to protect consumers’ faith in new energy sources that play an important role in our fight against climate change. 

There is some evidence that the tide is changing to benefit the cybersecurity of the energy sector, both traditional and renewable. On 12th May 2021 Biden issued The Executive Order on Improving the Nation’s Cybersecurity13. A few main points from the bill are:

  1. New and more stringent cyber security standards for government purchased software including multi-factor authentication and endpoint detection and response of software.
  2. Suppliers of technology must provide a SBOM (Software Bill Of Materials) that highlights the source of the software (supplier ID) that can be used to perform a risk assessment. This supplier ID can be used to alert high risk software if it is not verified by the digital signature applied to a SBOM14.
  3. There is to be the enforced sharing of intel surrounding cyber attacks, in the hope that the sharing of information will benefit us all. Jennifer Bisceglie, President and CEO of enterprise resilience company Interos Inc., stated that “we live in a world that people are, and companies are very concerned about their brand and reputation”15 and thus are reluctant to admit to cyber breaches. The new bill is set to remove fear of blame and shame and promote collaborative learning and continuous improvement for a safer and stronger society in the digital world.

An automatic, continuous line of defence protecting the open source components in use in renewable energy control systems is one way that Meterian can support the ongoing battle against carbon emissions. Whilst incremental in their support of rapid innovation, open source components are a pressure point to security systems of which cyber attackers are not afraid to make use of.

Visit our homepage to learn more about how Meterian can secure your businesses’ open source components—keeping cyber hackers out and your intellectual property in.

1 “Energy and climate change”. European Environment Agency, 11 May 2021, https ://www.eea.europa.eu/signals/signals-2017/articles/energy-and-climate-change

2 GOV.UK, 6 October 2020, https ://www.gov.uk/government/news/new-plans-to-make-uk-world-leader-in-green-energy

3 Vasquez, Christian. “CYBERSECUIRTY: Biden is eyeing renewable energy. So are hackers”. E&E News, 22 December 2020, https ://www.eenews.net/stories/1063721291

4 Ruhle, Micheal and Trakimavicius, Lukas. “Cyberattacks are the new challenge for renewable energy”. Politico, 18 July 2017, https ://www.politico.eu/article/opinion-cyberattacks-are-the-new-challenge-for-renewable-energy/

5 Taylor-Smith, Kerry. “How IoT can improve the performance of offshore windfarms”. NS Energy, 15 May 2020, https ://www.nsenergybusiness.com/features/iot-wind-power/

6 Freudenberg, Wolf K. “Why windfarms need to step up cyber security”. DNV, https ://www.dnv.com/article/why-windfarms-need-to-step-up-cyber-security-128082.

7 https ://gdpr-info.eu/art-25-gdpr/

8 “Emerging Threat: Dragonfly/ Energetic Bear – APT group”. BROADCOM, 30th June 2014, https ://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=16fb565a-8297-4641-8105-b5d0d4db3ee1&CommunityKey=30643d26-dab8-4c4b-a34e-5f6f02d58ff6&tab=librarydocuments

9 Cimpanu, Catalin. “Cyber-attack hits Utah wind and solar energy provider”. ZDNet, 31 October 2019, https ://www.zdnet.com/article/cyber-attack-hits-utah-wind-and-solar-energy-provider/

10 “Colonial Pipeline confirms it paid $4.4m ransom to hacker gang after attack”. The Guardian, 20 May 2021, https ://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom

11 Galiordi, Natalie. “Colonial Pipeline aims to restore operations by end of the week after cyberattack”. ZDNet, 10 May 2021, https ://www.zdnet.com/article/colonial-pipeline-aims-to-restore-operations-by-end-of-the-week-after-cyberattack/

12 Stevens, Pippa. “Owner of pipeline shuttered by cyber attack aims to restore service by end of the week”. CNBC, 10 May 2021, https ://www.cnbc.com/2021/05/10/colonial-says-parts-of-fuel-pipeline-being-brought-online-aims-to-restore-service-by-end-of-week.html

13 The White House, 12 May 2021, https ://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

14 Brooks, Richard. energycentral, 21 May 2021, https ://energycentral.com/c/ec/cybersecurity-executive-order-requires-new-software-security-standards-synopsys

15 Roby, Karen. MSN, “Expert: Biden’s executive order on cyber security is a good start toward protecting organizations”. 26 May 2021, https ://www.msn.com/en-us/money/smallbusiness/expert-bidens-executive-order-on-cybersecurity-is-a-good-start-toward-protecting-organizations/ar-AAKnd7E?ocid=uxbndlbing

The Rising Role of Cyber Security in Sustainable Development and Growth

jQuery, Javascript vulnerability of the month

Marco Sciortino, , , , Leave a comment
Artwork by Marco Sciortino

Here we are! Guess what’s vulnerable again?
On April 10th 2020 it was made public that a vulnerability has been exploited in the most popular Javascript library ever implemented: jQuery 3.4.1.

Why is jQuery 3.4.1 vulnerable?

Vulnerability score: 5
Platform: Javascript
Components: jQuery, all versions before 3.5.0

When jQuery is invoked, it reads the HTML document and returns requested fragments of it.
Now, while reading the document it might find that the one or more requested fragments are not in the correct format, so it tries to translate them. Although most of the times the translation is correctly performed, it’s been demonstrated that in particular cases the conversion (or parsing) could lead to an XSS cross-site scripting vulnerability.

An XSS cross-site scripting is a type of code vulnerability that allows attackers to insert malicious code into the web pages viewed by other users. It might be exploited to steal information such as access tokens or other sensitive information. This is what a criminal or Black Hat hacker would do.

This is what a criminal or Black Hat hacker would do. White Hat hackers, on the other hand, would behave ethically and use their software White Hat hackers, on the other hand, would behave ethically. Using their software engineering knowledge, White Hat hackers would show how to exploit a vulnerability: publish useful information about it to make sure both users and owners of the vulnerable library could take actions to prevent attacks.

What actions are required to safely update?

The first thing to know is that all the old versions of jQuery have some sort of vulnerability.  Up until April 10th, version 3.4.1 was the only safe version available.  Fortunately, the new minor release 3.5.0 has been published to fix the XSS security vulnerability.

As suggested in the jQuery release note, updating to this latest version might break your code as, to prevent the abuse of this vulnerability, the HTML element phrase is no longer converted.
Therefore, a code review might be in order.

There is a lot of time-consuming effort involved in staying on track with all the latest code vulnerabilities as they are discovered but, fortunately, Meterian can help you with that.

When added to the CI/CD pipeline of any application, Meterian will automatically detect such vulnerabilities, or even fix them for you, and it will help you avoid the risk of an attack before it becomes a problem.

Beat open source vulnerabilities with Meterian.

jQuery, Javascript vulnerability of the month

Vulnerability Focus: Javascript

Victoria C., , , , Leave a comment

Welcome back to Meterian’s next Vulnerability Focus report edition. This week we are talking about Javascript vulnerabilities which need to be addressed. Both have been published in recent months and have a medium severity threat. The first vulnerability could result in a cross-site scripting attack whilst the second is to do with a cryptographic issue. There are over 1.6 billion websites in the world, and JavaScript is used on 95% of them, be sure to check if you could be affected.

  • CVE-2019-12043: there is a vulnerability in remarkable 1.7.1 affecting the unknown processing in the library lib/parser_inline.js of the component URL Handler. Manipulation of this component can lead to cross-site-scripting.
  • CVE-2019-9155: OpenPGP.js has a cryptographic issue which could allow attackers to conduct an invalid curve attack and gain the victim’s ECDH private key

CVE-2019-12043

Vulnerability Score: 6.1

Platform: Javascript

Components: remarkable version 1.7.1

Read up Javascript users! This vulnerability was posted last year in 2019, yet because of the significant amount of people using Javascript for their web apps, we thought it would be useful to inform people who might not have had time to address the issue. 

This vulnerability has been found in remarkable 1.7.1 and is considered problematic. The component mishandles URL filtering, which allows attackers to trigger an XSS attack via unprintable characters.

Cross site scripting is an injection of malicious code into a trusted web app. As described above, this happens when the user input is not sufficiently validated either on the client or server side. The scripts injected will have malware which then allows the hacker to do a series of exploits. What is more concerning is that the attack could then alter the appearance of the web app and also commence attacks on users visiting that site.

An image of a computer with three people huddled around it, pointing at the screen.
https://unsplash.com/photos/2FPjlAyMQTA

The solution for this vulnerability is to replace remarkable 1.7.1 with versions 1.7.4 to 2.0.0.

CVE-2019-9155

Vulnerability Score: 5.9

Platform: Javascript openpgp

Components: openpgp versions up to 4.2.0 included

This Javascript vulnerability was published in September 2019 and has a medium severity score of 5.9. 

The vulnerability is a cryptographic issue in OpenPGP.js up to and including 4.2.0. This is a library in Javascript and therefore can be used on nearly any device. Users do not have to install a gpg on their machines in order to use this library, and therefore it can be reused in other projects that have browser extensions or server apps. Its main function is to sign, encrypt, decrypt and verify any kind of text, specifically emails. 

The problem allows hackers, who can provide forged messages and get feedback on whether decryption of these messages succeeded, to eventually figure out and extract the victim’s private key.

An image of a key.
https://unsplash.com/photos/Nel8STCcWy8

To avoid this type of attack in the future, developers should identify sensitive data and encrypt them, even if stored on a hard drive. There should also be an effort to ensure the data cannot be overwritten by overwriting sensitive memory locations straight after the data is no longer needed in memory. 

In regards to this specific vulnerability, it is suggested to upgrade openpgp to version 4.3.0 or above. 

That is it from us…for now! Make sure to spread the word on these Javascript vulnerabilities in order to help protect your apps or the apps you develop. Read also our post about javascript vulnerabilities and remote code execution

As you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Javascript

Attention! New .NET Vulnerabilities

Victoria C., , , , , , Leave a comment

4min read

Image of dark room with an open door. Label on the left saying 'Vulnerabilities .NET'

Greetings App Sec community! Meterian is back with some .NET vulnerabilities which need some attention. Both these vulnerabilities are of a medium to high threat nature, so make sure to give this a read, it’ll be worth your while. The first case deals with a cross-site scripting vulnerability, whilst the second can cause a core denial of service issue. Don’t let hackers use this as a backdoor to your systems and networks. Stay protected people!

  • CVE-2019-1301: .NET Core suffers from a denial of service vulnerability when it improperly handles web requests.
  • CVE-2019-12562: There is stored cross-site scripting vulnerability in DotNetNuke (DNN) versions before 9.4.0, allowing attackers to store and embed malicious script into the administration notification page.

CVE-2019-1301

Vulnerability Score: 7.5/HIGH

Platform: .NET

Components: 

Affected Versions: 

  • .NET Core  / Microsoft.NetCore.App: 2.1.0-2.1.12 or 2.2.0-2.2.6
  • System.Net.Sockets: 4.3.0

The first .NET vulnerability we bring to your urgent attention is a denial of service vulnerability which occurs when .NET Core improperly handles web requests. The affected versions are in any .NET Core based application running on .NET Core 2.1.0 to 2.1.12 or 2.2.0 to 2.2.6, and System.Net.Sockets 4.3.0. This is regarded as a high threat to security and should be tended to immediately.

How can you confirm if your .NET application is affected? Run the dotnet –info command to see the list of the versions you have installed. You will then see output as shown below:

Lines of code which show the if your .NET application is affected.
https://github.com/dotnet/announcements/issues/121

If you see that you have a version of .NET Core which is less than 2.1.13 or less than 2.2.7, then unfortunately you are vulnerable. The same applies if you are using the meta-package “Microsoft.NETCore.App”, with the same version range. Please note that this also applies to the package System.Net.Sockets version 4.3.0.

What is .NET Core? It is an open source, development platform which is maintained by Microsoft and the .NET community on GitHub. It can be used to build device, cloud and IoT applications. 

Why is this vulnerability such a threat? Firstly, the attacker who is successful in the exploit of this vulnerability would use the denial of service against the .NET Core web application. Not only can this vulnerability be exploited remotely, but also without authentication of the user-cum-attacker. A denial of service attack (DoS) is focused on making a resource unavailable for the purpose of its design. The unavailability of a resource can come in many forms: manipulating network packets, programming, logical or resource handling vulnerabilities. Sometimes the attacker may execute arbitrary code to access critical information or execute commands on the server. Generally, this type of attack would cause response delays, large-scale losses, interruption to services and therefore an impact on availability. 

So how can you fix this issue? It is recommended to install the latest version of .NET Core but it depends on the versions which you have already installed. You may need to update if you have either version 2.1 (upgrade at least to 2.1.13) or 2.2 (upgrade at least to 2.2.7). If you are using the meta-package, upgrade the meta-package following the same version numbering. Also, if you are using System.Net.Sockets, please upgrade to version 4.3.1

CVE-2019-12562

Vulnerability Score: 6.1/MEDIUM

Platform: .NET

Component: DotNetNuke

Affected Versions: up to 9.4.0

You read right.  DotNetNuke (DNN) has a cross-site scripting vulnerability before versions 9.4.0 which is allowing remote attackers to store and embed malicious script into the admin notification page. The success of this exploit occurs when an admin user visits a notification page with stored cross-site scripting. 

A little information on DNN. First of all, it is a program that runs on Microsoft ASP.NET. It is also a framework, meaning it is a program designed to be extended. When you install DNN it can allow the creation of thousands of individual portals. These portals can then display pages and the pages display modules. More importantly, DNN is an open source web content management system meaning many businesses around the world rely on it for organisational purposes. DNNSoftware.com has over 1million registered members since 2013 and is used on nearly 750,000 websites globally. This might illuminate how many people could be affected by this vulnerability and why this needs urgent attention to avoid getting hacked.

The severity of this vulnerability is emphasized through the fact that stored cross site-scripting is the most dangerous type of cross-site scripting. The exploit could be used to perform any action that has administrator privileges. This includes: managing content, adding users, uploading backdoors to the server and more. 

Once this vulnerability had been detected it was reported to the DNN Software Security Department who have fixed the problem and released a patch. Users should update to the latest version 9.4.0 of DNN to avoid any security holes within their systems and networks. 

That is it from us…for now! Make sure to spread the word on these .NET vulnerabilities in order to help protect your apps or the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Attention! New .NET Vulnerabilities

Read up on more Node.Js Vulnerabilities!

Victoria C., , , , , , Leave a comment

It’s that time of the week again folks. Meterian has two new Node.Js vulnerabilities to inform you on. Both are ranked a severity score of 7.5 and therefore considered to be of urgent attention. The first vulnerability concerns the bson-objectid package and the second the csv-parse module. Act fast and don’t let these vulnerabilities sit within your software/networks, or you could be at serious risk of a cyber attack. 

  • CVE-2019-19729: There is an issue discovered in the bson-objectid package version 1.3.0 for Node.js. Hackers could generate a malformed objectid, resulting in objects in arbitrary forms to bypass formatting if they have a valid bsontype.
  • CVE-2019-17592: The csv-parse module before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. An attacker can cause a program to spend an unnecessary amount of time processing.

CVE-2019-19729

Vulnerability Score: 7.5 /HIGH

Platform: Node.js

Component: bson-objectid

Affected Versions: up to 1.3.0

Read up Node.js users you’ll want to know about this vulnerability! This was discovered on the 12th December 2019 by user Xiaofen9 on Github who noticed that ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to his user-input.

What is bson-objectid? This component allows you to create and parse ObjectIDs without using bigger components, such as other fully-fledged bson libraries.

The problem is that in certain conditions the input object will not be checked and will be returned early. This means that objects in arbitrary (potentially malicious) forms can completely bypass formatting and validation.

https://github.com/williamkapke/bson-objectid/issues/30

So what can hackers do? The manipulation with an unknown input leads to a privilege escalation vulnerability and could lead to an impact on confidentiality, integrity, and availability.

But what does a privilege escalation vulnerability actually entail? It is when a malicious user gains access to the privileges of another user account in a target system. This allows hackers to use these privileges to steal confidential data, run administrative demands or deploy malware.

What can you do to fix this? Unfortunately, at this time of writing there is still no remedy to this vulnerability. However, we recommend to cease using this component or switch to a full bson library like bson.

CVE-2019-17592

Vulnerability Score: 7.5/ HIGH

Platform: Node.js

Component: csv-parse module

Affected Versions: up to 4.4.5

Oh yes…we are not done yet. Here is another Node.js vulnerability for you all! This was discovered on the 14th of October and given a high score of 7.5 by NVD. The affected module is csv-parse which is a CSV module. This project is a parser which converts CSV text inputs into objects. It uses the Node.js stream.Transform API and provides a simple callback-based API. Released for the first time in 2010, it is very easy to use and helps the big community that uses it with large data sets. 

The problem is that before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. A cast option is available in the module, it defines multiple functions to transform values based on their type. When such option is active and an integer cast is required, the corresponding __isInt() function uses a malformed regular expression that processes large inputs extremely slowly.

Why is Regular Expression Denial Service a backdoor for hackers? The attacker will insert in the file a malicious string which they know would take a very long time to evaluate. This means the attacker can make the user spend an excessive amount of time processing, resulting in the user’s executed commands to slow down or become unresponsive. Thus,  the availability of the system degrades. To make things worse, the exploit can be easily and remotely executed depicting clearly why this vulnerability is classified as problematic.

An image of a coffee shop. A barista making coffee with a speech bubble saying '*making coffee slowly*' and a woman at the till looking impatient with a speech bubble saying "My coffee is taking forever".

The best thing to do to avoid getting caught out by such exploit, is to upgrade to version 4.4.6 and above. 

That is it from us…for now! Make sure to spread the word on these critically-rated Node.js vulnerabilities in order to help protect your apps/the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Read up on more Node.Js Vulnerabilities!

New Python Vulnerabilities!

Victoria C., , , , Leave a comment
Image of thief climbing out of laptop shining flashlight on Python icon, titled Vulnerability Focus: Python.

In honour of Meterian introducing Python into their beta production, here are two Python vulnerabilities which you should look out for. We don’t like it when systems or computers behave in unexpected ways. It’s worse when such outcomes result in a cyber security incident. This month’s Python vulnerabilities can cause unexpected behaviours which hackers could exploit to compromise the integrity of your system in unpredictable ways. Don’t waste any time as you could be affected, so read on and learn how to avoid these risks.

  • CVE-2019-18874: through python-psutil versions 5.6.5 there are risks of double free consequences. Attackers could use this issue to cause psutil to crash, therefore a denial of service, and possibly execute arbitrary code.
  • CVE-2019-17626: ReportLab through 3.5.31 allows remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability could affect confidentiality, integrity, and availability within your software/network.

CVE-2019-18874

Vulnerability Score: 7.5 / HIGH

Platform: Python

Component: python-psutil

Affected Versions: up to 5.6.5 inclusive

Indeed…Python has a vulnerability within the package python-psutil. This was discovered on the 11th November 2019 by Riccardo Schirone who noticed that the psutil incorrectly handled certain reference counting operations. 

Python-psutil, is a Python package which provides convenient functions for accessing system process data. It is a cross-platform library for retrieving information on running processes and system utilization in Python. It is mainly used for system monitoring, profiling and limiting process resources and management of running processes. Psutil supports a range of platforms: Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Sun Solaris and AIX.

How does this vulnerability happen? It was caused by incorrect reference counting handling within for/while loops that convert system data into said Python objects. If an error occurred, the reference counter would be dropped twice.   In this case, the computer system’s memory storage is mishandled. Essentially, a double free releases the same area of memory twice.  

How can hackers take advantage of the system? They could use this vulnerability to cause the psutil program to crash which could lead to a denial of service and potentially the execution of arbitrary code. This execution of arbitrary code will provide the attacker with the ability to execute any command of their choice in a target machine or process. Like landmines, this vulnerability is unpredictable and hard to spot. The idea is that the hacker is waiting for the system to trip up in order for the “landmine” (malicious code) to set off and infect the users’ system.

Image of an area with signs saying 'Danger!!!Mines!!!'
https://flickr.com/photos/anzclusters/3404799066/

To remedy this vulnerability, please upgrade to version 5.6.6 or higher of python-psutil. Upgrade fast Python users, you don’t want to be at risk of a cyber attack.

CVE-2019-17626

Vulnerability Score: 9.8 / CRITICAL

Platform: Python

Component: reportlab 

Affected Versions: up to 3.5.31 inclusive

Yes that’s right! We have one more Python vulnerability to inform you on. This one is found within ReportLab up to 3.5.31 and it has allowed remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability was found on the 10th October 2019 and has been classified as critical. The issue is affecting the function toColor of the file colors.py. 

An image displaying the lines of code which show where the vulnerability was found.
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

ReportLab is an open source engine for creating data-driven PDF documents and custom vector graphics. So it is free, hence open-source and widely used to generate reports in Python. The package sees more than 50,000 downloads per month, it is embedded in many products and was even selected to power the print/export feature for Wikipedia. So you can understand now why this vulnerability is critical and urgently needed to be fixed by users.

The issue with this vulnerability is that the manipulation of the input value to <span color=” can lead to a privilege escalation vulnerability. Not only can this attack be initiated remotely but it will impact a user’s confidentiality, integrity and availability. To make matters worse, it has been said that the price of this exploit be around USD $0-$5k since last stated on 16/10/19.

An image of 3 eggs, 2 white one brown. The first egg has a bubble which says in remarks to the brown egg 'Hey how'd you get in here?' and the brown egg has another bubble which says "Oh no they found me". This image represents the vulnerability discussed.
https://www.pexels.com/photo/eggs-in-tray-on-white-surface-1556707/

To remedy this vulnerability, please upgrade to version 3.5.32 or higher.  This is different from the recommendation of NVD which suggests to upgrade to version 3.5.26 or higher.  NVD also references the incorrect CWE, which should be corrected to CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’).  Based on Meterian’s analysis, we only see the remediation implemented in versions 3.5.32 or later.  You can verify the code here

Spread the word on these critically-rated, easy-to-exploit Python vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Python Vulnerabilities!

New Java Vulnerabilities!

Victoria C., , , , Leave a comment

4min read

Attention to all Java users! Yes, we are back with a brand new set of Java vulnerabilities that I know you would like to get some juicy info on. During September 2019, two Java vulnerabilities have been discovered within the Apereo CAS versions before 6.1.0-RC5 and the Apache Tapestry versions between 5.4.0 to 5.4.3. The former open source vulnerability has been given a score of 8.1 whilst the later a higher score of 9.8 in regards to severity. So hurry, read up and don’t waste any time. You could be affected!

  • CVE-2019-10754 Apereo CAS (org.apereo.cas:*) components could allow a remote authenticated malicious user to obtain sensitive information, caused by the use of weak RandomStringUtils PRNG algorithm. 
  • CVE-2019-0195 Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded.

CVE-2019-10754 

Vulnerability Score: 8.1 / HIGH

Platform: Java

Component: org.apereo.cas (Apereo CAS) 

Affected Versions: versions before 6.1.0-RC5

That’s right folks! Java has another vulnerability. Due to multiple classes using Apereo CAS (before the release of 6.1.0-RC5) and making use of apache commons-lang3 RandomStringUtils for token and ID generation, this has made them predictable and resulted in a cryptography weakness.

Apereo CAS is an open well-documented protocol, as well as an open-source Java server component. It provides support for multiple protocols (CAS, SAML, OAuth, OpenID) and is a library for clients such as Java, .NET, PHP, Perl, Apache, uPortal and more! Apereo’s mission is to help educational organizations ‘collaborate to foster, develop, and sustain open technologies and innovation to support learning, teaching and research’.

For example, org.apereo.cas:cas-server-support-simple-mfa is a package that allows Apereo CAS to act as a multifactor authentication provider by itself. This generates tokens and allows them to be sent to end-users via pre-defined communication channels such as email or text message. Please also note that this vulnerability affects multiple components of the Apereo CAS framework. 

So what is the threat? Well, the affected versions of this package are vulnerable to Insecure Randomness, as it relies on apache commons-lang3 RandomStringUtil  which can produce predictable results. So, this could allow an attacker to generate their own unique Ticket ID due to insufficient randomness. In other words, the attacker could guess the encryptionSecret used within GenerateJwtCommand and allow them to impersonate a user. This also means the attacker will have access to sensitive information caused by the use of the weak RandomStringUtils PRNG algorithm. 

Image showing user communicating with the server, and the hacker impersonating the user.

But don’t fret. There is a solution. It has been recommended to upgrade org.apereo.cas to version 6.1.0-RC5 or higher.

Java users, don’t give cyber criminals the chance to access your data. Act fast and upgrade org.apereo.cas! 

CVE-2019-0195

Vulnerability Score: 9.8 / CRITICAL

Platform: Java

Component: org.apache.tapestry (Apache Tapestry)

Affected Versions: versions 5.4.0 to 5.4.3.

We are not done yet folks! We have one more Java vulnerability to inform you guys on. Within the Apache Tapestry versions 5.4.0 to 5.4.3, the manipulating classpath asset file URLs allow an attacker to guess the path of a known file in the classpath and, as a result, download it. This was discovered on the 16/09/19 by Thiago H. de Paula Figueiredo.

The Apache Tapestry is an open-source framework for creating web applications in Java or other JVM languages. It also complements and builds upon standard Java Servlet API and works in any application server. Apache Tapestry has a long history. It has the oldest code, dating all the way back to 2000. This has resulted in many releases; developers now concentrate on Tapestry 5 as opposed to 3 and 4. 

What is tapestry.hmac-passphrase you say? This symbol is used to configure hash-based message authentication of Tapestry data stored in forms, or in the URL. In other words, your application is less secure and therefore more vulnerable to denial-of-service attacks. Especially when this symbol is not configured.

With various techniques, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the  tapestry.hmac-passphrase configuration symbol, then they could use it to craft a Java deserialization attack, thus running a malicious injected Java code. 

Image showing a hacker guessing a file location, downloading the pass phrase and a computer showing it is has been hacked.

The recommended mitigation for this vulnerability has been suggested to upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x version. 

That is it from us…for now! Make sure to spread the word on these critically-rated Java vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so we recommend you regularly scan your code repositories for new known vulnerabilities. Don’t get caught off guard!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Java Vulnerabilities!