You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@brooklyn.apache.org by Richard Downer <ri...@apache.org> on 2017/02/10 16:21:05 UTC
[SECURITY] CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration
potentially allows remote code execution
CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows
remote code execution
Severity: Major
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Brooklyn 0.9.0 and all prior versions
Description:
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs.
SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should
unmarshal data to a Java type. In the default configuration, SnakeYAML will
allow unmarshalling to any Java type available on the classpath. This could
provide an authenticated user with a means to cause the JVM running
Brooklyn to load and run Java code without detection by Brooklyn. Such code
would have the privileges of the Java process running Brooklyn, including
the ability to open files and network connections, and execute system
commands. There is known to be a proof-of-concept exploit using this
vulnerability.
Solution:
Upgrade to Apache Brooklyn 0.10.0. This changes the SnakeYAML configuration
to limit unmarshalling to a white list of safe, basic, Java types. This
change blocks YAML document inputs that use unsafe Java types.
Temporary mitigation if you cannot upgrade to 0.10.0:
Ensure your Apache Brooklyn instance is properly secured so that untrusted
users cannot access Brooklyn's API. User authentication should be
configured with strong passwords, and access limited to known trusted
individuals. Configure SSL/TLS. Installations of Apache Brooklyn should not
be exposed to the Internet without considering the security implications.
(This is general good practice for Apache Brooklyn installations.)
Example exploit:
Consider this fragment of YAML:
!!java.util.Date
date: 25
month: 12
year: 2016
If embedded into a YAML document and given to Apache Brooklyn's API
endpoint for new applications, it would cause SnakeYAML to instantiate
java.util.Date and call setter methods on the instance. Although the Date
type in this example is relatively benign, Date could be replaced by any
other class available on Brooklyn's classpath, which include classes that
pose a security risk.
Credit:
This issue was discovered by Moritz Bechler of AgNO3 GmbH & Co. KG.
References:
http://www.apache.org/security/index.html