You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@freemarker.apache.org by "Demarcq, Arnaud" <Ar...@experian.com.INVALID> on 2022/03/07 14:43:22 UTC
CVE-2021-46361 in freemarker lib
Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>,
We are using freemarker as our main templating engine for the various software me and my team are maintaining.
In order to be certain our software is secure and compliant with the latest security standards, our code is dynamically tested with Veracode. We're currently having the latest version of freemarker flagged as dangerous because of this CVE:
CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361>
undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote attackers are able to inject and execute malicious scripts on the host machine via crafted payloads to bypass security restrictions.
The option we have are:
* Waiting for a new release of freemarker that fixes this CVE
* Switching to an other templating engine (which I would like to avoid if we can, as this would mean a breach in ascending compatibility due to syntax in the templates).
Can you please kindly share if this issue is being actively worked on ? If it is, do you have a tentative date for the next release ?
Many thanks and kind regards,
Arnaud DEMARCQ
Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Posted by Daniel Dekany <da...@gmail.com>.
Sorry, you also asked about the next release. I don't know at this point,
because the main feature would be proper java.time support (FREEMARKER-35),
but it's stretching and stretching. As FreeMarker 2.3.x has to keep
backward compatibility, it's very risky to release features early, with
minimal functionality, and there's a lot of non-obvious things there, edge
cases and all. Of course if it goes on like that for long, it will be just
left out in favor of smaller features...
On Wed, Mar 9, 2022 at 4:12 PM Daniel Dekany <da...@gmail.com>
wrote:
> Yes, if the problem is what they have linked, then you are safe with
> 2.3.31. But, if somebody was affected by this issue, then I strongly advise
> checking out the FAQ item I linked earlier. FreeMarker was NOT designed for
> scenarios where you can have malicious template authors. I'm not even sure
> what the alternatives are, if somebody needs that.
>
> On Wed, Mar 9, 2022 at 11:22 AM Demarcq, Arnaud <
> Arnaud.Demarcq@experian.com> wrote:
>
>> Hi @Daniel Dekany <da...@gmail.com>,
>>
>>
>>
>> Thanks for your response.
>>
>>
>>
>> Does that mean that with version 2.3.31, we are safe, and that Veracode
>> flagging this version as dangerous is a false positive ?
>>
>>
>>
>> Also, when is next version planned to be released ? My experience shows
>> that Veracode is not very reactive when it comes to un-flagging lib
>> versions.
>>
>>
>>
>> Many thanks and kind regards,
>>
>>
>>
>> Arnaud
>>
>>
>>
>> *From:* Daniel Dekany <da...@gmail.com>
>> *Sent:* Monday, March 7, 2022 9:09 PM
>> *To:* FreeMarker developer list <de...@freemarker.apache.org>
>> *Cc:* EMA Development <em...@experian.com>
>> *Subject:* [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
>>
>>
>>
>> *External email: *Do not click the links. Verify legitimacy before
>> taking action.
>>
>> Hi,
>>
>>
>>
>> They refer to a Magnolia CMS vulnerability that was fixed in
>> Magnolia CMS, and a FreeMarker kind-of-vulnerability, which was already
>> addressed in 2.3.31. See also:
>> https://issues.apache.org/jira/browse/FREEMARKER-205
>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FREEMARKER-205__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGOzmPa-Y$>
>>
>>
>>
>> But most importantly, see this:
>> https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
>> <https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGo3ZgSw4$>
>>
>>
>>
>>
>>
>> On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud <
>> Arnaud.Demarcq@experian.com.invalid> wrote:
>>
>> Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>,
>>
>> We are using freemarker as our main templating engine for the various
>> software me and my team are maintaining.
>>
>> In order to be certain our software is secure and compliant with the
>> latest security standards, our code is dynamically tested with Veracode.
>> We're currently having the latest version of freemarker flagged as
>> dangerous because of this CVE:
>>
>> CVE-2021-46361<
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361
>> <https://urldefense.com/v3/__http:/web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMG-unXDEI$>
>> >
>> undefined: org.freemarker:freemarker is vulnerable to arbitrary code
>> execution. Remote attackers are able to inject and execute malicious
>> scripts on the host machine via crafted payloads to bypass security
>> restrictions.
>>
>>
>> The option we have are:
>>
>> * Waiting for a new release of freemarker that fixes this CVE
>> * Switching to an other templating engine (which I would like to
>> avoid if we can, as this would mean a breach in ascending compatibility due
>> to syntax in the templates).
>>
>> Can you please kindly share if this issue is being actively worked on ?
>> If it is, do you have a tentative date for the next release ?
>>
>> Many thanks and kind regards,
>>
>> Arnaud DEMARCQ
>>
>>
>>
>>
>> --
>>
>> Best regards,
>> Daniel Dekany
>>
>
>
> --
> Best regards,
> Daniel Dekany
>
--
Best regards,
Daniel Dekany
RE: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Posted by "Demarcq, Arnaud" <Ar...@experian.com.INVALID>.
Thanks for your response.
In term of security, we’re good, as the template themselves are made by trusted sourced (and not in any case uploaded dynamically by users).
My concern is more that I don’t have the right to release any software the does not score 100 in Veracode (amongst other security related items) as per my organization Secure Software policy. So I might be in a situation where I’ve got a perfectly secure piece of software that I can’t release due to that.
Many thanks and kind regards,
Arnaud
From: Daniel Dekany <da...@gmail.com>
Sent: Thursday, March 10, 2022 10:24 AM
To: Demarcq, Arnaud <Ar...@experian.com>
Cc: FreeMarker developer list <de...@freemarker.apache.org>; EMA Development <em...@experian.com>
Subject: Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Actually, FreeMarker does block java.security.ProtectionDomain.getClassLoader since 2.3.30, released in 2020-03-05, not just since 2.3.31. So even 2.3.30 is safe from this particular CVE. I'm also discussing this with Veracode, and they did answer, so we will see if they will update their database.
And yet again, if that CVE was a real problem for you, then you certainly have much more problems there: https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security<https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!3FyeU_gZIPdOQofEe4lVU5aVDbUQ4kTtOhWwCJ--GfFXVnSEcSkVflRtPx0MMem7FyNc1A$>
On Wed, Mar 9, 2022 at 4:16 PM Demarcq, Arnaud <Ar...@experian.com>> wrote:
Hi @Daniel Dekany<ma...@gmail.com>,
Thanks for the confirmation.
Kind regards,
Arnaud
From: Daniel Dekany <da...@gmail.com>>
Sent: Wednesday, March 9, 2022 4:13 PM
To: Demarcq, Arnaud <Ar...@experian.com>>
Cc: FreeMarker developer list <de...@freemarker.apache.org>>; EMA Development <em...@experian.com>>
Subject: Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Yes, if the problem is what they have linked, then you are safe with 2.3.31. But, if somebody was affected by this issue, then I strongly advise checking out the FAQ item I linked earlier. FreeMarker was NOT designed for scenarios where you can have malicious template authors. I'm not even sure what the alternatives are, if somebody needs that.
On Wed, Mar 9, 2022 at 11:22 AM Demarcq, Arnaud <Ar...@experian.com>> wrote:
Hi @Daniel Dekany<ma...@gmail.com>,
Thanks for your response.
Does that mean that with version 2.3.31, we are safe, and that Veracode flagging this version as dangerous is a false positive ?
Also, when is next version planned to be released ? My experience shows that Veracode is not very reactive when it comes to un-flagging lib versions.
Many thanks and kind regards,
Arnaud
From: Daniel Dekany <da...@gmail.com>>
Sent: Monday, March 7, 2022 9:09 PM
To: FreeMarker developer list <de...@freemarker.apache.org>>
Cc: EMA Development <em...@experian.com>>
Subject: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
External email: Do not click the links. Verify legitimacy before taking action.
Hi,
They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS, and a FreeMarker kind-of-vulnerability, which was already addressed in 2.3.31. See also: https://issues.apache.org/jira/browse/FREEMARKER-205<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FREEMARKER-205__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGOzmPa-Y$>
But most importantly, see this: https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security<https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGo3ZgSw4$>
On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud <Ar...@experian.com.invalid>> wrote:
Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>>,
We are using freemarker as our main templating engine for the various software me and my team are maintaining.
In order to be certain our software is secure and compliant with the latest security standards, our code is dynamically tested with Veracode. We're currently having the latest version of freemarker flagged as dangerous because of this CVE:
CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361<https://urldefense.com/v3/__http:/web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMG-unXDEI$>>
undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote attackers are able to inject and execute malicious scripts on the host machine via crafted payloads to bypass security restrictions.
The option we have are:
* Waiting for a new release of freemarker that fixes this CVE
* Switching to an other templating engine (which I would like to avoid if we can, as this would mean a breach in ascending compatibility due to syntax in the templates).
Can you please kindly share if this issue is being actively worked on ? If it is, do you have a tentative date for the next release ?
Many thanks and kind regards,
Arnaud DEMARCQ
--
Best regards,
Daniel Dekany
--
Best regards,
Daniel Dekany
--
Best regards,
Daniel Dekany
Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Posted by Daniel Dekany <da...@gmail.com>.
Actually, FreeMarker does
block java.security.ProtectionDomain.getClassLoader *since 2.3.30*,
released in 2020-03-05, not just since 2.3.31. So even 2.3.30 is safe from
this particular CVE. I'm also discussing this with Veracode, and they did
answer, so we will see if they will update their database.
And yet again, if that CVE was a real problem for you, then you certainly
have much more problems there:
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
On Wed, Mar 9, 2022 at 4:16 PM Demarcq, Arnaud <Ar...@experian.com>
wrote:
> Hi @Daniel Dekany <da...@gmail.com>,
>
>
>
> Thanks for the confirmation.
>
>
>
> Kind regards,
>
>
>
> Arnaud
>
>
>
> *From:* Daniel Dekany <da...@gmail.com>
> *Sent:* Wednesday, March 9, 2022 4:13 PM
> *To:* Demarcq, Arnaud <Ar...@experian.com>
> *Cc:* FreeMarker developer list <de...@freemarker.apache.org>; EMA
> Development <em...@experian.com>
> *Subject:* Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
>
>
>
> Yes, if the problem is what they have linked, then you are safe with
> 2.3.31. But, if somebody was affected by this issue, then I strongly advise
> checking out the FAQ item I linked earlier. FreeMarker was NOT designed for
> scenarios where you can have malicious template authors. I'm not even sure
> what the alternatives are, if somebody needs that.
>
>
>
> On Wed, Mar 9, 2022 at 11:22 AM Demarcq, Arnaud <
> Arnaud.Demarcq@experian.com> wrote:
>
> Hi @Daniel Dekany <da...@gmail.com>,
>
>
>
> Thanks for your response.
>
>
>
> Does that mean that with version 2.3.31, we are safe, and that Veracode
> flagging this version as dangerous is a false positive ?
>
>
>
> Also, when is next version planned to be released ? My experience shows
> that Veracode is not very reactive when it comes to un-flagging lib
> versions.
>
>
>
> Many thanks and kind regards,
>
>
>
> Arnaud
>
>
>
> *From:* Daniel Dekany <da...@gmail.com>
> *Sent:* Monday, March 7, 2022 9:09 PM
> *To:* FreeMarker developer list <de...@freemarker.apache.org>
> *Cc:* EMA Development <em...@experian.com>
> *Subject:* [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
>
>
>
> *External email: *Do not click the links. Verify legitimacy before taking
> action.
>
> Hi,
>
>
>
> They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS,
> and a FreeMarker kind-of-vulnerability, which was already addressed in
> 2.3.31. See also: https://issues.apache.org/jira/browse/FREEMARKER-205
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FREEMARKER-205__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGOzmPa-Y$>
>
>
>
> But most importantly, see this:
> https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
> <https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGo3ZgSw4$>
>
>
>
>
>
> On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud <
> Arnaud.Demarcq@experian.com.invalid> wrote:
>
> Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>,
>
> We are using freemarker as our main templating engine for the various
> software me and my team are maintaining.
>
> In order to be certain our software is secure and compliant with the
> latest security standards, our code is dynamically tested with Veracode.
> We're currently having the latest version of freemarker flagged as
> dangerous because of this CVE:
>
> CVE-2021-46361<
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361
> <https://urldefense.com/v3/__http:/web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMG-unXDEI$>
> >
> undefined: org.freemarker:freemarker is vulnerable to arbitrary code
> execution. Remote attackers are able to inject and execute malicious
> scripts on the host machine via crafted payloads to bypass security
> restrictions.
>
>
> The option we have are:
>
> * Waiting for a new release of freemarker that fixes this CVE
> * Switching to an other templating engine (which I would like to avoid
> if we can, as this would mean a breach in ascending compatibility due to
> syntax in the templates).
>
> Can you please kindly share if this issue is being actively worked on ? If
> it is, do you have a tentative date for the next release ?
>
> Many thanks and kind regards,
>
> Arnaud DEMARCQ
>
>
>
>
> --
>
> Best regards,
> Daniel Dekany
>
>
>
>
> --
>
> Best regards,
> Daniel Dekany
>
--
Best regards,
Daniel Dekany
RE: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Posted by "Demarcq, Arnaud" <Ar...@experian.com.INVALID>.
Hi @Daniel Dekany<ma...@gmail.com>,
Thanks for the confirmation.
Kind regards,
Arnaud
From: Daniel Dekany <da...@gmail.com>
Sent: Wednesday, March 9, 2022 4:13 PM
To: Demarcq, Arnaud <Ar...@experian.com>
Cc: FreeMarker developer list <de...@freemarker.apache.org>; EMA Development <em...@experian.com>
Subject: Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Yes, if the problem is what they have linked, then you are safe with 2.3.31. But, if somebody was affected by this issue, then I strongly advise checking out the FAQ item I linked earlier. FreeMarker was NOT designed for scenarios where you can have malicious template authors. I'm not even sure what the alternatives are, if somebody needs that.
On Wed, Mar 9, 2022 at 11:22 AM Demarcq, Arnaud <Ar...@experian.com>> wrote:
Hi @Daniel Dekany<ma...@gmail.com>,
Thanks for your response.
Does that mean that with version 2.3.31, we are safe, and that Veracode flagging this version as dangerous is a false positive ?
Also, when is next version planned to be released ? My experience shows that Veracode is not very reactive when it comes to un-flagging lib versions.
Many thanks and kind regards,
Arnaud
From: Daniel Dekany <da...@gmail.com>>
Sent: Monday, March 7, 2022 9:09 PM
To: FreeMarker developer list <de...@freemarker.apache.org>>
Cc: EMA Development <em...@experian.com>>
Subject: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
External email: Do not click the links. Verify legitimacy before taking action.
Hi,
They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS, and a FreeMarker kind-of-vulnerability, which was already addressed in 2.3.31. See also: https://issues.apache.org/jira/browse/FREEMARKER-205<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FREEMARKER-205__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGOzmPa-Y$>
But most importantly, see this: https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security<https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGo3ZgSw4$>
On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud <Ar...@experian.com.invalid>> wrote:
Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>>,
We are using freemarker as our main templating engine for the various software me and my team are maintaining.
In order to be certain our software is secure and compliant with the latest security standards, our code is dynamically tested with Veracode. We're currently having the latest version of freemarker flagged as dangerous because of this CVE:
CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361<https://urldefense.com/v3/__http:/web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMG-unXDEI$>>
undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote attackers are able to inject and execute malicious scripts on the host machine via crafted payloads to bypass security restrictions.
The option we have are:
* Waiting for a new release of freemarker that fixes this CVE
* Switching to an other templating engine (which I would like to avoid if we can, as this would mean a breach in ascending compatibility due to syntax in the templates).
Can you please kindly share if this issue is being actively worked on ? If it is, do you have a tentative date for the next release ?
Many thanks and kind regards,
Arnaud DEMARCQ
--
Best regards,
Daniel Dekany
--
Best regards,
Daniel Dekany
Re: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Posted by Daniel Dekany <da...@gmail.com>.
Yes, if the problem is what they have linked, then you are safe with
2.3.31. But, if somebody was affected by this issue, then I strongly advise
checking out the FAQ item I linked earlier. FreeMarker was NOT designed for
scenarios where you can have malicious template authors. I'm not even sure
what the alternatives are, if somebody needs that.
On Wed, Mar 9, 2022 at 11:22 AM Demarcq, Arnaud <Ar...@experian.com>
wrote:
> Hi @Daniel Dekany <da...@gmail.com>,
>
>
>
> Thanks for your response.
>
>
>
> Does that mean that with version 2.3.31, we are safe, and that Veracode
> flagging this version as dangerous is a false positive ?
>
>
>
> Also, when is next version planned to be released ? My experience shows
> that Veracode is not very reactive when it comes to un-flagging lib
> versions.
>
>
>
> Many thanks and kind regards,
>
>
>
> Arnaud
>
>
>
> *From:* Daniel Dekany <da...@gmail.com>
> *Sent:* Monday, March 7, 2022 9:09 PM
> *To:* FreeMarker developer list <de...@freemarker.apache.org>
> *Cc:* EMA Development <em...@experian.com>
> *Subject:* [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
>
>
>
> *External email: *Do not click the links. Verify legitimacy before taking
> action.
>
> Hi,
>
>
>
> They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS,
> and a FreeMarker kind-of-vulnerability, which was already addressed in
> 2.3.31. See also: https://issues.apache.org/jira/browse/FREEMARKER-205
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FREEMARKER-205__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGOzmPa-Y$>
>
>
>
> But most importantly, see this:
> https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
> <https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGo3ZgSw4$>
>
>
>
>
>
> On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud <
> Arnaud.Demarcq@experian.com.invalid> wrote:
>
> Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>,
>
> We are using freemarker as our main templating engine for the various
> software me and my team are maintaining.
>
> In order to be certain our software is secure and compliant with the
> latest security standards, our code is dynamically tested with Veracode.
> We're currently having the latest version of freemarker flagged as
> dangerous because of this CVE:
>
> CVE-2021-46361<
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361
> <https://urldefense.com/v3/__http:/web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMG-unXDEI$>
> >
> undefined: org.freemarker:freemarker is vulnerable to arbitrary code
> execution. Remote attackers are able to inject and execute malicious
> scripts on the host machine via crafted payloads to bypass security
> restrictions.
>
>
> The option we have are:
>
> * Waiting for a new release of freemarker that fixes this CVE
> * Switching to an other templating engine (which I would like to avoid
> if we can, as this would mean a breach in ascending compatibility due to
> syntax in the templates).
>
> Can you please kindly share if this issue is being actively worked on ? If
> it is, do you have a tentative date for the next release ?
>
> Many thanks and kind regards,
>
> Arnaud DEMARCQ
>
>
>
>
> --
>
> Best regards,
> Daniel Dekany
>
--
Best regards,
Daniel Dekany
RE: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
Posted by "Demarcq, Arnaud" <Ar...@experian.com.INVALID>.
Hi @Daniel Dekany<ma...@gmail.com>,
Thanks for your response.
Does that mean that with version 2.3.31, we are safe, and that Veracode flagging this version as dangerous is a false positive ?
Also, when is next version planned to be released ? My experience shows that Veracode is not very reactive when it comes to un-flagging lib versions.
Many thanks and kind regards,
Arnaud
From: Daniel Dekany <da...@gmail.com>
Sent: Monday, March 7, 2022 9:09 PM
To: FreeMarker developer list <de...@freemarker.apache.org>
Cc: EMA Development <em...@experian.com>
Subject: [EXTERNAL] Re: CVE-2021-46361 in freemarker lib
External email: Do not click the links. Verify legitimacy before taking action.
Hi,
They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS, and a FreeMarker kind-of-vulnerability, which was already addressed in 2.3.31. See also: https://issues.apache.org/jira/browse/FREEMARKER-205<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FREEMARKER-205__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGOzmPa-Y$>
But most importantly, see this: https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security<https://urldefense.com/v3/__https:/freemarker.apache.org/docs/app_faq.html*faq_template_uploading_security__;Iw!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMGo3ZgSw4$>
On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud <Ar...@experian.com.invalid>> wrote:
Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>>,
We are using freemarker as our main templating engine for the various software me and my team are maintaining.
In order to be certain our software is secure and compliant with the latest security standards, our code is dynamically tested with Veracode. We're currently having the latest version of freemarker flagged as dangerous because of this CVE:
CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361<https://urldefense.com/v3/__http:/web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361__;!!MfzFaTml5A!2QCWGYo7_7GSug65Spaa0tR9LUQtyRpSkv1dcfLmkRiDJiWi2nDNXeITRcNMSBMG-unXDEI$>>
undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote attackers are able to inject and execute malicious scripts on the host machine via crafted payloads to bypass security restrictions.
The option we have are:
* Waiting for a new release of freemarker that fixes this CVE
* Switching to an other templating engine (which I would like to avoid if we can, as this would mean a breach in ascending compatibility due to syntax in the templates).
Can you please kindly share if this issue is being actively worked on ? If it is, do you have a tentative date for the next release ?
Many thanks and kind regards,
Arnaud DEMARCQ
--
Best regards,
Daniel Dekany
Re: CVE-2021-46361 in freemarker lib
Posted by Daniel Dekany <da...@gmail.com>.
Hi,
They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS,
and a FreeMarker kind-of-vulnerability, which was already addressed in
2.3.31. See also: https://issues.apache.org/jira/browse/FREEMARKER-205
But most importantly, see this:
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud
<Ar...@experian.com.invalid> wrote:
> Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>,
>
> We are using freemarker as our main templating engine for the various
> software me and my team are maintaining.
>
> In order to be certain our software is secure and compliant with the
> latest security standards, our code is dynamically tested with Veracode.
> We're currently having the latest version of freemarker flagged as
> dangerous because of this CVE:
>
> CVE-2021-46361<
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361>
> undefined: org.freemarker:freemarker is vulnerable to arbitrary code
> execution. Remote attackers are able to inject and execute malicious
> scripts on the host machine via crafted payloads to bypass security
> restrictions.
>
>
> The option we have are:
>
> * Waiting for a new release of freemarker that fixes this CVE
> * Switching to an other templating engine (which I would like to avoid
> if we can, as this would mean a breach in ascending compatibility due to
> syntax in the templates).
>
> Can you please kindly share if this issue is being actively worked on ? If
> it is, do you have a tentative date for the next release ?
>
> Many thanks and kind regards,
>
> Arnaud DEMARCQ
>
>
--
Best regards,
Daniel Dekany
Re: CVE-2021-46361 in freemarker lib
Posted by Daniel Dekany <da...@gmail.com>.
That templates are part of the source code like Java is quite common. Like
in Thymeleaf + Spring, by default you can access any classes with
T(com.example.SomeClass), and then do whatever you want. FreeMarker is more
restrictive there, but I assume the reason wasn't security, but simply to
discourage logic in templates that should belong to the MVC Controller, and
heavy Java API usage in templates generally. See also:
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
On Mon, Mar 7, 2022 at 9:02 PM Taher Alkhateeb <ta...@pythys.com.invalid>
wrote:
> Hello folks,
>
> I'm not sure if this is the proper mailing list to discuss such
> information. Anyway I looked at the reported security vulnerability and
> it seems to be not critical unless the solution deployed has the ability
> to modify FTL files on the server. So it may not be critical depending
> on the type of solution being deployed as you must be able to inject an
> FTL template and evaluate it to get access to a class loader and then
> use it to inject malicious code.
>
> Regards,
>
> On 3/7/22 17:43, Demarcq, Arnaud wrote:
> > Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>,
> >
> > We are using freemarker as our main templating engine for the various
> software me and my team are maintaining.
> >
> > In order to be certain our software is secure and compliant with the
> latest security standards, our code is dynamically tested with Veracode.
> We're currently having the latest version of freemarker flagged as
> dangerous because of this CVE:
> >
> > CVE-2021-46361<
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361>
> > undefined: org.freemarker:freemarker is vulnerable to arbitrary code
> execution. Remote attackers are able to inject and execute malicious
> scripts on the host machine via crafted payloads to bypass security
> restrictions.
> >
> >
> > The option we have are:
> >
> > * Waiting for a new release of freemarker that fixes this CVE
> > * Switching to an other templating engine (which I would like to
> avoid if we can, as this would mean a breach in ascending compatibility due
> to syntax in the templates).
> >
> > Can you please kindly share if this issue is being actively worked on ?
> If it is, do you have a tentative date for the next release ?
> >
> > Many thanks and kind regards,
> >
> > Arnaud DEMARCQ
> >
> >
>
--
Best regards,
Daniel Dekany
Re: CVE-2021-46361 in freemarker lib
Posted by Taher Alkhateeb <ta...@pythys.com.INVALID>.
Hello folks,
I'm not sure if this is the proper mailing list to discuss such
information. Anyway I looked at the reported security vulnerability and
it seems to be not critical unless the solution deployed has the ability
to modify FTL files on the server. So it may not be critical depending
on the type of solution being deployed as you must be able to inject an
FTL template and evaluate it to get access to a class loader and then
use it to inject malicious code.
Regards,
On 3/7/22 17:43, Demarcq, Arnaud wrote:
> Dear dev@freemarker.apache.org<ma...@freemarker.apache.org>,
>
> We are using freemarker as our main templating engine for the various software me and my team are maintaining.
>
> In order to be certain our software is secure and compliant with the latest security standards, our code is dynamically tested with Veracode. We're currently having the latest version of freemarker flagged as dangerous because of this CVE:
>
> CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361>
> undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote attackers are able to inject and execute malicious scripts on the host machine via crafted payloads to bypass security restrictions.
>
>
> The option we have are:
>
> * Waiting for a new release of freemarker that fixes this CVE
> * Switching to an other templating engine (which I would like to avoid if we can, as this would mean a breach in ascending compatibility due to syntax in the templates).
>
> Can you please kindly share if this issue is being actively worked on ? If it is, do you have a tentative date for the next release ?
>
> Many thanks and kind regards,
>
> Arnaud DEMARCQ
>
>