You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cayenne.apache.org by Aristedes Maniatis <ar...@ish.com.au.INVALID> on 2022/02/11 21:50:07 UTC
Security announcement: CVE-2022-24289
== Environment
A security issue has been discovered in Apache Cayenne ROP. Remote
Object Persistence (ROP) is an optional component in Cayenne which is a
Java client library used to execute Cayenne operations (query, insert,
update, etc) and access the object data map in the client environment.
ROP has two options for serialising data between client and server:
Hessian and protobuf. It is the older Hessian which is the subject of
today's security announcement.
== Vulnerability
In Apache Cayenne 4.1 and earlier, running on non-current patch versions
of Java, an attacker with client access to Cayenne ROP can transmit a
malicious payload to any vulnerable third-party dependency on the
server. This can result in arbitrary code execution.
== Workaround
Do one of the following:
* upgrade to Apache Cayenne 4.2
* upgrade to a patched version of Java (after 6u211, 7u201, 8u191, and
11.0.1)
* use protobuf instead of hessian serialisation
All versions of Apache Cayenne 4.2 have whitelisting enabled by default
for the Hessian deserialization. Later versions of Java also have LDAP
mitigation in place. Users can either upgrade Java or Apache Cayenne to
avoid the issue.
LDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and
11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property
is set to false by default to prevent JNDI from loading remote code
through LDAP.
A patched version of Cayenne 4.1 (or earlier) will not be released since
we believe there are sufficient ways to avoid the issue and the number
of people using ROP is likely quite low. Given the security model of
ROP, it is also most likely used in a scenario where the client is trusted.
Our thanks to Panda for discovering and responsibly reporting the issue.
Ari Maniatis
on behalf of the Cayenne PMC
Any ROP users?
Posted by Aristedes Maniatis <ar...@ish.com.au.INVALID>.
On the heels of the security announcement, there has been discussion on
removing ROP from the next major Cayenne release after 4.2.
ROP was modelled on a similar Java Client feature in Webobjects/EOF and
there is nothing else quite like it in other ORMs. The ability to just
use normal Cayenne operations from the client machine without worrying
about how those operations get to the server and data objects are returned.
It has some limitations:
* limited security. There is no simple way to add an authorisation layer
to restrict access to certain objects or fields. Authentication and
encryption are really simple, but per object authorisation is hard.
* Java client. Although it is possible to write Cayenne in other
languages, no one has done so. There was some work ages ago on
Cocoa/Objective C bindings. Java client UI (swing/javaFX) is not popular
these days.
* upgrading. You need to upgrade the client and server at the same time
But it is really quite neat. Maybe I'm a bit sentimental since I used to
use it extensively for many years. But I've moved onto react/js/browser
clients which means that server-client serialisation is now over
json/swagger/jackson/CXF. Authorisation is now easy and the client UI
more lovely.
Is anyone using ROP? Should we remove it from the next Cayenne and
reduce the burden of maintenance?
Ari
On 12/2/2022 8:50am, Aristedes Maniatis wrote:
> A patched version of Cayenne 4.1 (or earlier) will not be released
> since we believe there are sufficient ways to avoid the issue and the
> number of people using ROP is likely quite low. Given the security
> model of ROP, it is also most likely used in a scenario where the
> client is trusted.