Security announcement: CVE-2022-24289

[Aristedes Maniatis <ar...@ish.com.au.INVALID>]

== Environment

A security issue has been discovered in Apache Cayenne ROP. Remote 
Object Persistence (ROP) is an optional component in Cayenne which is a 
Java client library used to execute Cayenne operations (query, insert, 
update, etc) and access the object data map in the client environment.

ROP has two options for serialising data between client and server: 
Hessian and protobuf. It is the older Hessian which is the subject of 
today's security announcement.


== Vulnerability

In Apache Cayenne 4.1 and earlier, running on non-current patch versions 
of Java, an attacker with client access to Cayenne ROP can transmit a 
malicious payload to any vulnerable third-party dependency on the 
server.  This can result in arbitrary code execution.


== Workaround

Do one of the following:

* upgrade to Apache Cayenne 4.2

* upgrade to a patched version of Java (after 6u211, 7u201, 8u191, and 
11.0.1)

* use protobuf instead of hessian serialisation


All versions of Apache Cayenne 4.2 have whitelisting enabled by default 
for the Hessian deserialization.  Later versions of Java also have LDAP 
mitigation in place. Users can either upgrade Java or Apache Cayenne to 
avoid the issue.

LDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and 
11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property 
is set to false by default to prevent JNDI from loading remote code 
through LDAP.


A patched version of Cayenne 4.1 (or earlier) will not be released since 
we believe there are sufficient ways to avoid the issue and the number 
of people using ROP is likely quite low. Given the security model of 
ROP, it is also most likely used in a scenario where the client is trusted.

Our thanks to Panda for discovering and responsibly reporting the issue.


Ari Maniatis

on behalf of the Cayenne PMC

Any ROP users?

[Aristedes Maniatis <ar...@ish.com.au.INVALID>]

On the heels of the security announcement, there has been discussion on 
removing ROP from the next major Cayenne release after 4.2.

ROP was modelled on a similar Java Client feature in Webobjects/EOF and 
there is nothing else quite like it in other ORMs. The ability to just 
use normal Cayenne operations from the client machine without worrying 
about how those operations get to the server and data objects are returned.

It has some limitations:

* limited security. There is no simple way to add an authorisation layer 
to restrict access to certain objects or fields. Authentication and 
encryption are really simple, but per object authorisation is hard.

* Java client. Although it is possible to write Cayenne in other 
languages, no one has done so. There was some work ages ago on 
Cocoa/Objective C bindings. Java client UI (swing/javaFX) is not popular 
these days.

* upgrading. You need to upgrade the client and server at the same time


But it is really quite neat. Maybe I'm a bit sentimental since I used to 
use it extensively for many years. But I've moved onto react/js/browser 
clients which means that server-client serialisation is now over 
json/swagger/jackson/CXF. Authorisation is now easy and the client UI 
more lovely.


Is anyone using ROP? Should we remove it from the next Cayenne and 
reduce the burden of maintenance?


Ari


On 12/2/2022 8:50am, Aristedes Maniatis wrote:
> A patched version of Cayenne 4.1 (or earlier) will not be released 
> since we believe there are sufficient ways to avoid the issue and the 
> number of people using ROP is likely quite low. Given the security 
> model of ROP, it is also most likely used in a scenario where the 
> client is trusted.