The ClassLoader binding issue...

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

The ClassLoader binding issue...

VANKEISBELCK Remi
Hi folks,

I haven't seen any communication about this fix :

It seems to be a quite ugly security issue actually, same as :
ClassLoader manipulation ? Holy sh*t ! Running arbitrary code now ? wtf ?

Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?

I guess we might also wanna drop an email on the users list. This is something all stripes should be aware of. Good opportunity to recall about @Validate and @StrictBinding, for those who don't use it...

Cheers

Rémi

  

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

Timothy Stone-6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Remi,

Do we know how far back this goes? We run 1.5.3 and 1.5.7.

Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:

> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform

> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
YWZGFF1ahTvSxIG94iJr
=pIIa
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

Timothy Stone-6
In reply to this post by VANKEISBELCK Remi
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Remi and Ben,

Additionally, Struts provided a "mitigation" in the interim of a
general release (http://struts.apache.org/announce.html#a20140424).

Prior to a general release such a mitigation would be advisable if
available.

I'll be leading an effort to patch or upgrade our installations next week.

Regards,
Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:

> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform

> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWQpAAoJEHJJ3jMipSyC6hAQAKZdT4NQ12AGGrjwUIkcQJSv
njPm3bwdExMBjqaI48426rtRT5AsF5H8AYlZNf5z2fTGerkq3vS7VR6frOsjzJzv
PmCxU1ETFSJasI7wH/2fdE0uFvSQxuMraBW3aGW2W5ZpqIlJfKW8hnLim1033o8A
spjlQNC044/ONZGAgCCVWgngjS/0kbuIGPEMwcHfM7pH2XUq3ikeoGU1MNQytBi7
Ejp4OQhFZa7FQbY7VwDaTVzEZUm+5WMEZqiXcN4Pm+PXS1oRXRjlZzGRF7RC7CfJ
DDuaOUhR2q/G98tntJWMB0cDYg1Rwkw7yQ9SM69X0icOtcqmQ1TKzZniPSuoV2VW
kWpj7+OvaRsu+rJcPnZoL204a0p3XspiDyt9OwPil4wdIPdDhlfR0I3+lf5fIm2Q
oaELov7fylKkiE9+J1U+8ed08z7C/OwWL3zZUK1mcdcsc2WqsIGZwVseLkZ49re8
JQqZzTHrO/eNw8gPp1UEyHcnqB72M/NbwfOMQNVUG4NxikJOFEB2lcvQ5LRZXZEm
9AzImuYd+cDF0BQx4A5FggXcBHWlWeFn2YdQifmmBX3yyaVxSFkYrwVwqNHnpqiJ
PAYBCFh/HnezY3XJFtRvuVHaywSYibvAfFvFw/5iRlhUut0CvwXdLU18wDURT2dl
m4XZbZ66BM9fRNpXXDCX
=Wk5D
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

VANKEISBELCK Remi
I will release a patched 1.5.7 today of mitigating, it'll be even faster. The code is already fixed, all we need is a little "mvm deploy" basically. Then people simply rebuild or wait for the central version.

I'm just waiting for a green light from Ben. 

Cheers

Rémi


2014-04-27 22:10 GMT+02:00 Timothy Stone <[hidden email]>:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Remi and Ben,

Additionally, Struts provided a "mitigation" in the interim of a
general release (http://struts.apache.org/announce.html#a20140424).

Prior to a general release such a mitigation would be advisable if
available.

I'll be leading an effort to patch or upgrade our installations next week.

Regards,
Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWQpAAoJEHJJ3jMipSyC6hAQAKZdT4NQ12AGGrjwUIkcQJSv
njPm3bwdExMBjqaI48426rtRT5AsF5H8AYlZNf5z2fTGerkq3vS7VR6frOsjzJzv
PmCxU1ETFSJasI7wH/2fdE0uFvSQxuMraBW3aGW2W5ZpqIlJfKW8hnLim1033o8A
spjlQNC044/ONZGAgCCVWgngjS/0kbuIGPEMwcHfM7pH2XUq3ikeoGU1MNQytBi7
Ejp4OQhFZa7FQbY7VwDaTVzEZUm+5WMEZqiXcN4Pm+PXS1oRXRjlZzGRF7RC7CfJ
DDuaOUhR2q/G98tntJWMB0cDYg1Rwkw7yQ9SM69X0icOtcqmQ1TKzZniPSuoV2VW
kWpj7+OvaRsu+rJcPnZoL204a0p3XspiDyt9OwPil4wdIPdDhlfR0I3+lf5fIm2Q
oaELov7fylKkiE9+J1U+8ed08z7C/OwWL3zZUK1mcdcsc2WqsIGZwVseLkZ49re8
JQqZzTHrO/eNw8gPp1UEyHcnqB72M/NbwfOMQNVUG4NxikJOFEB2lcvQ5LRZXZEm
9AzImuYd+cDF0BQx4A5FggXcBHWlWeFn2YdQifmmBX3yyaVxSFkYrwVwqNHnpqiJ
PAYBCFh/HnezY3XJFtRvuVHaywSYibvAfFvFw/5iRlhUut0CvwXdLU18wDURT2dl
m4XZbZ66BM9fRNpXXDCX
=Wk5D
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

VANKEISBELCK Remi
In reply to this post by Timothy Stone-6
All versions are impacted AFAIK if you run tomcat 8. The whole thing is about using bindable path to the class loader in order to exec arbitrary code on the server. 

I could not reproduce on jetty using the same path, and I didn't have time to check tomcat 6 and 7 yesterday, which I'll do today.

But in any case, this fix is required ASAP, as you can't know all possible bindings on ClassLoader, especially those of the various containers...

Cheers

Remi


2014-04-27 22:00 GMT+02:00 Timothy Stone <[hidden email]>:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Remi,

Do we know how far back this goes? We run 1.5.3 and 1.5.7.

Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
YWZGFF1ahTvSxIG94iJr
=pIIa
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

VANKEISBELCK Remi
Hi again folks,

I have pushed a hot fix in branch /1.5.7-classloaderfix :

I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's fixed BindingPolicyManager. Should fix the class loader problem.

The version (in the pom) is 1.5.7-classloaderfix.

All tests are green, and I haven't changed anything else, so no regression is to be expected.

I'm currently trying to release to maven central for those who don't want (can't) rebuild Stripes.

Cheers

Rémi

PS: older versions could be patched the same way I guess : the fix in BindingPolicyManager is internal, doesn't break no API. 



2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:
All versions are impacted AFAIK if you run tomcat 8. The whole thing is about using bindable path to the class loader in order to exec arbitrary code on the server. 

I could not reproduce on jetty using the same path, and I didn't have time to check tomcat 6 and 7 yesterday, which I'll do today.

But in any case, this fix is required ASAP, as you can't know all possible bindings on ClassLoader, especially those of the various containers...

Cheers

Remi


2014-04-27 22:00 GMT+02:00 Timothy Stone <[hidden email]>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Remi,

Do we know how far back this goes? We run 1.5.3 and 1.5.7.

Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
YWZGFF1ahTvSxIG94iJr
=pIIa
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development



------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

VANKEISBELCK Remi
The 1.5.7-classloaderfix version is on its way to Maven Central and should be available in a few hours.


Cheers

Rémi


2014-04-28 10:35 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:
Hi again folks,

I have pushed a hot fix in branch /1.5.7-classloaderfix :

I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's fixed BindingPolicyManager. Should fix the class loader problem.

The version (in the pom) is 1.5.7-classloaderfix.

All tests are green, and I haven't changed anything else, so no regression is to be expected.

I'm currently trying to release to maven central for those who don't want (can't) rebuild Stripes.

Cheers

Rémi

PS: older versions could be patched the same way I guess : the fix in BindingPolicyManager is internal, doesn't break no API. 



2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:

All versions are impacted AFAIK if you run tomcat 8. The whole thing is about using bindable path to the class loader in order to exec arbitrary code on the server. 

I could not reproduce on jetty using the same path, and I didn't have time to check tomcat 6 and 7 yesterday, which I'll do today.

But in any case, this fix is required ASAP, as you can't know all possible bindings on ClassLoader, especially those of the various containers...

Cheers

Remi


2014-04-27 22:00 GMT+02:00 Timothy Stone <[hidden email]>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Remi,

Do we know how far back this goes? We run 1.5.3 and 1.5.7.

Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
YWZGFF1ahTvSxIG94iJr
=pIIa
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development




------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

VANKEISBELCK Remi
It's there :

        <dependency>
            <groupId>net.sourceforge.stripes</groupId>
            <artifactId>stripes</artifactId>
            <version>1.5.7-classloaderfix</version>
        </dependency>

Cheers

Rémi


2014-04-28 10:59 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:
The 1.5.7-classloaderfix version is on its way to Maven Central and should be available in a few hours.


Cheers

Rémi


2014-04-28 10:35 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:

Hi again folks,

I have pushed a hot fix in branch /1.5.7-classloaderfix :

I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's fixed BindingPolicyManager. Should fix the class loader problem.

The version (in the pom) is 1.5.7-classloaderfix.

All tests are green, and I haven't changed anything else, so no regression is to be expected.

I'm currently trying to release to maven central for those who don't want (can't) rebuild Stripes.

Cheers

Rémi

PS: older versions could be patched the same way I guess : the fix in BindingPolicyManager is internal, doesn't break no API. 



2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:

All versions are impacted AFAIK if you run tomcat 8. The whole thing is about using bindable path to the class loader in order to exec arbitrary code on the server. 

I could not reproduce on jetty using the same path, and I didn't have time to check tomcat 6 and 7 yesterday, which I'll do today.

But in any case, this fix is required ASAP, as you can't know all possible bindings on ClassLoader, especially those of the various containers...

Cheers

Remi


2014-04-27 22:00 GMT+02:00 Timothy Stone <[hidden email]>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Remi,

Do we know how far back this goes? We run 1.5.3 and 1.5.7.

Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
YWZGFF1ahTvSxIG94iJr
=pIIa
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development





------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development
Reply | Threaded
Open this post in threaded view
|

Re: The ClassLoader binding issue...

Ben Gunter
This affects all releases prior to the 1.5.7-classloaderfix Remi just released. However, if you're making proper use of @StrictBinding then you're probably safe. Generally, binding access controls will prevent binding to anything that isn't explicitly allowed.

For those who are not using @StrictBinding at all, the issue can be mitigated by adding the following annotation to their base ActionBean class:

@StrictBinding(defaultPolicy = Policy.ALLOW, deny = "class.**,**.class.**")

That will prevent a request from getting to the class loader via the class property. If there are other paths to the class loader, they can be handled similarly.

-Ben



On Mon, Apr 28, 2014 at 5:47 AM, VANKEISBELCK Remi <[hidden email]> wrote:
It's there :

        <dependency>
            <groupId>net.sourceforge.stripes</groupId>
            <artifactId>stripes</artifactId>
            <version>1.5.7-classloaderfix</version>
        </dependency>

Cheers

Rémi


2014-04-28 10:59 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:

The 1.5.7-classloaderfix version is on its way to Maven Central and should be available in a few hours.


Cheers

Rémi


2014-04-28 10:35 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:

Hi again folks,

I have pushed a hot fix in branch /1.5.7-classloaderfix :

I have branched from 1.5.7 tag in 1.5.x branch, and included only Ben's fixed BindingPolicyManager. Should fix the class loader problem.

The version (in the pom) is 1.5.7-classloaderfix.

All tests are green, and I haven't changed anything else, so no regression is to be expected.

I'm currently trying to release to maven central for those who don't want (can't) rebuild Stripes.

Cheers

Rémi

PS: older versions could be patched the same way I guess : the fix in BindingPolicyManager is internal, doesn't break no API. 



2014-04-28 9:08 GMT+02:00 VANKEISBELCK Remi <[hidden email]>:

All versions are impacted AFAIK if you run tomcat 8. The whole thing is about using bindable path to the class loader in order to exec arbitrary code on the server. 

I could not reproduce on jetty using the same path, and I didn't have time to check tomcat 6 and 7 yesterday, which I'll do today.

But in any case, this fix is required ASAP, as you can't know all possible bindings on ClassLoader, especially those of the various containers...

Cheers

Remi


2014-04-27 22:00 GMT+02:00 Timothy Stone <[hidden email]>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Remi,

Do we know how far back this goes? We run 1.5.3 and 1.5.7.

Tim

On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> Hi folks,
>
> I haven't seen any communication about this fix :
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
>
>  It seems to be a quite ugly security issue actually, same as :
> http://struts.apache.org/announce.html ClassLoader manipulation ?
> Holy sh*t ! Running arbitrary code now ? wtf ?
>
> Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
>
> I guess we might also wanna drop an email on the users list. This
> is something all stripes should be aware of. Good opportunity to
> recall about @Validate and @StrictBinding, for those who don't use
> it...
>
> Cheers
>
> Rémi
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software Java
> Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________ Stripes-development
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: Seeking grim and perilous adventure!
Comment: Get my public key at http://bit.ly/9UQHQv
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
YWZGFF1ahTvSxIG94iJr
=pIIa
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development





------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development



------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-development