Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 783510 (CVE-2019-0195, CVE-2021-27850)

Summary: dev-java/tapestry: remote code execution (CVE-2019-0195, CVE-2021-27850)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: fordfrog, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa?]
Package list:
Runtime testing required: ---
Deadline: 2021-05-18   

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-17 23:25:24 UTC 
CVE-2021-27850:

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.


Please bump.
Comment 1 Miroslav Šulc gentoo-dev 2021-04-18 15:56:03 UTC 
not sure about the fate of this project. it uses only gradle to build, which we don't support. it might be better to last-rite and if missed, maybe someone might step up to package it. the other option is to go the -bin way, but i'd prefer removal. any objections?
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-21 16:35:07 UTC 
There's also CVE-2019-0195, which CVE-2021-27850 was an incomplete fix of:

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.
Comment 3 Larry the Git Cow gentoo-dev 2021-05-17 21:10:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67101bfb96ab495d37941d4e33fdc6d7a44b1a47

commit 67101bfb96ab495d37941d4e33fdc6d7a44b1a47
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-05-17 11:45:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-17 21:09:28 +0000

    dev-java/tapestry: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/783510
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Closes: https://github.com/gentoo/gentoo/pull/20855
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-java/tapestry/Manifest                 |  1 -
 dev-java/tapestry/files/Version.properties |  5 --
 dev-java/tapestry/files/build.properties   | 32 ----------
 dev-java/tapestry/files/common.properties  | 94 ------------------------------
 dev-java/tapestry/metadata.xml             | 15 -----
 dev-java/tapestry/tapestry-3.0.4-r3.ebuild | 70 ----------------------
 profiles/package.mask                      |  8 ---
 7 files changed, 225 deletions(-)
[+] Comment 4 NATTkA bot gentoo-dev Security 2021-07-29 17:23:02 UTC Comment hidden (obsolete)
[+] Comment 5 NATTkA bot gentoo-dev Security 2021-07-29 17:31:22 UTC Comment hidden (obsolete)
[+] Comment 6 NATTkA bot gentoo-dev Security 2021-07-29 17:39:20 UTC Comment hidden (obsolete)
[+] Comment 7 NATTkA bot gentoo-dev Security 2021-07-29 17:47:28 UTC Comment hidden (obsolete)
[+] Comment 8 NATTkA bot gentoo-dev Security 2021-07-29 18:03:26 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev Security 2021-07-29 18:11:43 UTC 
Package list is empty or all packages have requested keywords.
Comment 10 Hans de Graaff gentoo-dev Security 2023-10-06 16:11:53 UTC 
commit 67101bfb96ab495d37941d4e33fdc6d7a44b1a47
Author: Jakov Smolic <jakov.smolic@sartura.hr>
Date:   Mon May 17 12:45:42 2021 +0100

    dev-java/tapestry: Remove last-rited pkg