apache-commons-fileupload symlink vulnerability CVE-2013-0248

Discussion:

Charlie Martin

2015-07-23 10:41:06 UTC

Hi,

The current (v1.6.3) and previous releases of Axis2 contain the apache
commons-fileupload-1.2.jar.

This jar is flagged as being vulnerable to CVE-2013-0248

Could anyone confirm if either:
This vulnerability is not applicable to the use of the jar in Axis2
If an update is planned

Details of the vulnerability:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248

Many thanks,
Charlie Martin

WebSphere MQ Development
IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.
Email: ***@uk.ibm.com
Tel: +44 (0) 1962 815860, Internal: 37245860

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Martin Gainty

2015-07-23 12:41:41 UTC

Permalink

Mr Martin

upgrade to commons.fileupload.version 1.3 in both
modules/fastinfoset/pom.xml and
modules/parent/pom.xml
will mitigate CVE-2013-0248

modules/fastinfoset/pom.xml:
<! -- fastinfoset dependency CVE-2013-0248 vulnerability averted by specifying version -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3</version> 
</dependency>
modules/parent/pom.xml:


<commons.fileupload.version>1.3</commons.fileupload.version>

Andreas please confirm

Thanks to Mr Martin for detecting this vulnerability
Martin --
______________________________________________
_____ _ _____ _ _____ ___ _ _____ _ _ _
|_ _| |_ ___ | _ |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ _ _ ___ _| |___| |_|_|___ ___
| | | | -_| | | . | .'| _| | -_| |__ | . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | . | |
|_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |_____|__,|_| |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_|
|_|

To: java-***@axis.apache.org
Subject: apache-commons-fileupload symlink vulnerability CVE-2013-0248
From: ***@uk.ibm.com
Date: Thu, 23 Jul 2015 11:41:06 +0100

Hi,

The current (v1.6.3) and previous releases
of Axis2 contain the apache commons-fileupload-1.2.jar.

This jar is flagged as being vulnerable
to CVE-2013-0248

Could anyone confirm if either:

This vulnerability is not applicable
to the use of the jar in Axis2
If an update is planned

Details of the vulnerability:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248

Many thanks,

Charlie Martin

WebSphere MQ Development

IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.

Email: ***@uk.ibm.com

Tel: +44 (0) 1962 815860, Internal: 37245860

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

Andreas Veithen

2015-08-02 00:12:03 UTC

Permalink

For this vulnerability to be exploitable, the following conditions must be met:

1) The attacker must have shell access to the machine on which Axis2
runs with any account. Obviously the vulnerability is interesting only
if that account is unprivileged and different from the account Axis2
runs as.
2) Axis2 must be configured to use the servlet based HTTP transport
(because commons-fileupload depends on the servlet API).
3) The temporary directory as configured by the java.io.tmpdir system
property must be writable to the attacker. In practice, this means
world writable, as is the case if java.io.tmpdir is set to /tmp.
4) MultipartFormDataBuilder must be enabled. This is the case for the
default axis2.xml config file distributed with Axis2.
5) At least one Web service must be deployed on Axis2. [I'm not 100%
sure here, but this condition is trivially satisfied in most cases
anyway]

For the standalone Axis2 server, condition 3 is satisfied, but 2 is
not. Tomcat sets java.io.tmpdir to a directory that is writable only
to the user the Tomcat instance runs as. Therefore condition 2 is not
satisfied, and Axis2 deployments on Tomcat are not vulnerable. I would
expect that any decent application server behaves similar to Tomcat. A
notable exception is IBM WebSphere Application Server which doesn't
change java.io.tmpdir, so that it points to the default /tmp. This
would mean that Axis2 applications deployed on WAS will likely be
vulnerable. Note that I believe that the Axis2 version that is part of
the JAX-WS implementation in the WAS runtime is not vulnerable because
it doesn't enable MultipartFormDataBuilder.

Also note that the mitigation strategy is trivial: upgrade
commons-fileupload or disable MultipartFormDataBuilder.

Andreas

On Thu, Jul 23, 2015 at 11:41 AM, Charlie Martin

Post by Charlie Martin
Hi,
The current (v1.6.3) and previous releases of Axis2 contain the apache
commons-fileupload-1.2.jar.
This jar is flagged as being vulnerable to CVE-2013-0248
This vulnerability is not applicable to the use of the jar in Axis2
If an update is planned
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248
Many thanks,
Charlie Martin
WebSphere MQ Development
IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.
Tel: +44 (0) 1962 815860, Internal: 37245860
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-***@axis.apache.org
For additional commands, e-mail: java-user-***@axis.apache.org