CVE-2021-27850: A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later. Please bump.
not sure about the fate of this project. it uses only gradle to build, which we don't support. it might be better to last-rite and if missed, maybe someone might step up to package it. the other option is to go the -bin way, but i'd prefer removal. any objections?
There's also CVE-2019-0195, which CVE-2021-27850 was an incomplete fix of: Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67101bfb96ab495d37941d4e33fdc6d7a44b1a47 commit 67101bfb96ab495d37941d4e33fdc6d7a44b1a47 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2021-05-17 11:45:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-17 21:09:28 +0000 dev-java/tapestry: Remove last-rited pkg Bug: https://bugs.gentoo.org/783510 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Closes: https://github.com/gentoo/gentoo/pull/20855 Signed-off-by: Sam James <sam@gentoo.org> dev-java/tapestry/Manifest | 1 - dev-java/tapestry/files/Version.properties | 5 -- dev-java/tapestry/files/build.properties | 32 ---------- dev-java/tapestry/files/common.properties | 94 ------------------------------ dev-java/tapestry/metadata.xml | 15 ----- dev-java/tapestry/tapestry-3.0.4-r3.ebuild | 70 ---------------------- profiles/package.mask | 8 --- 7 files changed, 225 deletions(-)
Package list is empty or all packages have requested keywords.
commit 67101bfb96ab495d37941d4e33fdc6d7a44b1a47 Author: Jakov Smolic <jakov.smolic@sartura.hr> Date: Mon May 17 12:45:42 2021 +0100 dev-java/tapestry: Remove last-rited pkg
