You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@openjpa.apache.org by Jeremy Bauer <jr...@apache.org> on 2013/06/12 21:33:17 UTC

[CVE-2013-1768] Apache OpenJPA security vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
CVE-2013-1768: Apache OpenJPA security vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenJPA 1.0.0 to 1.0.4
OpenJPA 1.1.0
OpenJPA 1.3.0
OpenJPA 1.2.0 to 1.2.2
OpenJPA 2.0.0 to 2.0.1
OpenJPA 2.1.0 to 2.1.1
OpenJPA 2.2.0 to 2.2.1

Description: Deserialization of a maliciously crafted OpenJPA object can
result in an executable file being written to the file system. An
attacker needs to discover an unprotected server program to exploit the
vulnerability.  It then needs to exploit another unprotected server
program to execute the file and gain access to the system.  OpenJPA
usage by itself does not introduce the vulnerability.

Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
specification level should upgrade to the OpenJPA 1.2.3 release.  Users
of OpenJPA using a release based upon the JPA 2.0 specification level
should upgrade to the OpenJPA 2.2.2 release.  Users needing to stay on
their current release should get the latest code from svn for the
corresponding branch level or apply a source patch and build a new
binary package.  Nightly snapshots of the latest source builds are also
available for many branches.

OpenJPA release branch levels and corresponding fix revisions:

OpenJPA 1.0.x revision 1462558:
http://svn.apache.org/viewvc?view=revision&revision=1462558
OpenJPA 1.1.x revision 1462512:
http://svn.apache.org/viewvc?view=revision&revision=1462512
OpenJPA 1.2.x revision 1462488:
http://svn.apache.org/viewvc?view=revision&revision=1462488
OpenJPA 1.3.x revision 1462328:
http://svn.apache.org/viewvc?view=revision&revision=1462328
OpenJPA 2.0.x revision 1462318:
http://svn.apache.org/viewvc?view=revision&revision=1462318
OpenJPA 2.1.x revision 1462268:
http://svn.apache.org/viewvc?view=revision&revision=1462268
OpenJPA 2.2.1.x revision 1462225:
http://svn.apache.org/viewvc?view=revision&revision=1462225
OpenJPA 2.2.x revision 1462076:
http://svn.apache.org/viewvc?view=revision&revision=1462076

Example: An attacker creates a customized serialization of an OpenJPA
object.  The attacker exploits an unprotected server program to execute
the object.  The object includes logic that results in malicious trace
being written to a file, such as a JSP.  The file containing malicious
commands is written to a potentially vulnerable area of the system.  The
attacker exploits a second unprotected server program to execute the
file and gain access to the system.

Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
7iGIxMiN7yJ14RZoDsKw
=LVgy
-----END PGP SIGNATURE-----

Re: [CVE-2013-1768] Apache OpenJPA security vulnerability

Posted by Jeremy Bauer <te...@gmail.com>.

The CVE post doesn't state it, but trunk implicitly does have the fix, so
you if you grab a recent snapshot (revision >= 1461876) you'll have it.
Cutting a new release from trunk was considered when deciding which
official releases to provide, but the decision was to use the 2.2.x stream
since it is the very latest stable branch on the JPA 2.0 spec level and has
had plenty of time to bake.

Cutting a new release from trunk requires creating a new branch, which may
result in additional maintenance (if maintained), and a branch owner.

Mark - if you are interested, you could cut 2.3.0 release.  It is a time
consuming process, but our instructions are very good and recently
updated.  One of the other committers might be willing to do the release,
but may not want to own the 2.3.x branch if it needs to be maintained.

http://openjpa.apache.org/apache-nexus-release-process-%281.2.x-2.1.x%29.html

-Jeremy


On Thu, Jun 13, 2013 at 1:33 AM, Mark Struberg <st...@yahoo.de> wrote:

> +1
>
> LieGrue,
> strub
>
>
>
>
> ----- Original Message -----
> > From: Romain Manni-Bucau <rm...@gmail.com>
> > To: dev@openjpa.apache.org
> > Cc:
> > Sent: Wednesday, 12 June 2013, 23:15
> > Subject: Re: [CVE-2013-1768] Apache OpenJPA security vulnerability
> >
> > Hi
> >
> > TomEE trunk relies on openjpa snapshot
> >
> > With such an issue wonder of an early release (maybe a beta?)
> >
> > Wdyt?
> > Le 12 juin 2013 21:33, "Jeremy Bauer" <jr...@apache.org> a
> > écrit :
> >
> >>
> >>  -----BEGIN PGP SIGNED MESSAGE-----
> >>  Hash: SHA1
> >>
> >>  CVE-2013-1768: Apache OpenJPA security vulnerability
> >>
> >>  Severity: Important
> >>
> >>  Vendor: The Apache Software Foundation
> >>
> >>  Versions Affected:
> >>
> >>  OpenJPA 1.0.0 to 1.0.4
> >>  OpenJPA 1.1.0
> >>  OpenJPA 1.3.0
> >>  OpenJPA 1.2.0 to 1.2.2
> >>  OpenJPA 2.0.0 to 2.0.1
> >>  OpenJPA 2.1.0 to 2.1.1
> >>  OpenJPA 2.2.0 to 2.2.1
> >>
> >>  Description: Deserialization of a maliciously crafted OpenJPA object
> can
> >>  result in an executable file being written to the file system. An
> >>  attacker needs to discover an unprotected server program to exploit the
> >>  vulnerability.  It then needs to exploit another unprotected server
> >>  program to execute the file and gain access to the system.  OpenJPA
> >>  usage by itself does not introduce the vulnerability.
> >>
> >>  Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
> >>  specification level should upgrade to the OpenJPA 1.2.3 release.  Users
> >>  of OpenJPA using a release based upon the JPA 2.0 specification level
> >>  should upgrade to the OpenJPA 2.2.2 release.  Users needing to stay on
> >>  their current release should get the latest code from svn for the
> >>  corresponding branch level or apply a source patch and build a new
> >>  binary package.  Nightly snapshots of the latest source builds are also
> >>  available for many branches.
> >>
> >>  OpenJPA release branch levels and corresponding fix revisions:
> >>
> >>  OpenJPA 1.0.x revision 1462558:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462558
> >>  OpenJPA 1.1.x revision 1462512:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462512
> >>  OpenJPA 1.2.x revision 1462488:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462488
> >>  OpenJPA 1.3.x revision 1462328:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462328
> >>  OpenJPA 2.0.x revision 1462318:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462318
> >>  OpenJPA 2.1.x revision 1462268:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462268
> >>  OpenJPA 2.2.1.x revision 1462225:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462225
> >>  OpenJPA 2.2.x revision 1462076:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462076
> >>
> >>  Example: An attacker creates a customized serialization of an OpenJPA
> >>  object.  The attacker exploits an unprotected server program to execute
> >>  the object.  The object includes logic that results in malicious trace
> >>  being written to a file, such as a JSP.  The file containing malicious
> >>  commands is written to a potentially vulnerable area of the system.
> The
> >>  attacker exploits a second unprotected server program to execute the
> >>  file and gain access to the system.
> >>
> >>  Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
> >>  -----BEGIN PGP SIGNATURE-----
> >>  Version: GnuPG v2.0.20 (MingW32)
> >>  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>
> >>  iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
> >>  bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
> >>  Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
> >>  3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
> >>  M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
> >>  1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
> >>  tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
> >>  OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
> >>  rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
> >>  IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
> >>  DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
> >>  7iGIxMiN7yJ14RZoDsKw
> >>  =LVgy
> >>  -----END PGP SIGNATURE-----
> >>
> >>
> >
>

Re: [CVE-2013-1768] Apache OpenJPA security vulnerability

Posted by Mark Struberg <st...@yahoo.de>.

+1

LieGrue,
strub




----- Original Message -----
> From: Romain Manni-Bucau <rm...@gmail.com>
> To: dev@openjpa.apache.org
> Cc: 
> Sent: Wednesday, 12 June 2013, 23:15
> Subject: Re: [CVE-2013-1768] Apache OpenJPA security vulnerability
> 
> Hi
> 
> TomEE trunk relies on openjpa snapshot
> 
> With such an issue wonder of an early release (maybe a beta?)
> 
> Wdyt?
> Le 12 juin 2013 21:33, "Jeremy Bauer" <jr...@apache.org> a 
> écrit :
> 
>> 
>>  -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>> 
>>  CVE-2013-1768: Apache OpenJPA security vulnerability
>> 
>>  Severity: Important
>> 
>>  Vendor: The Apache Software Foundation
>> 
>>  Versions Affected:
>> 
>>  OpenJPA 1.0.0 to 1.0.4
>>  OpenJPA 1.1.0
>>  OpenJPA 1.3.0
>>  OpenJPA 1.2.0 to 1.2.2
>>  OpenJPA 2.0.0 to 2.0.1
>>  OpenJPA 2.1.0 to 2.1.1
>>  OpenJPA 2.2.0 to 2.2.1
>> 
>>  Description: Deserialization of a maliciously crafted OpenJPA object can
>>  result in an executable file being written to the file system. An
>>  attacker needs to discover an unprotected server program to exploit the
>>  vulnerability.  It then needs to exploit another unprotected server
>>  program to execute the file and gain access to the system.  OpenJPA
>>  usage by itself does not introduce the vulnerability.
>> 
>>  Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
>>  specification level should upgrade to the OpenJPA 1.2.3 release.  Users
>>  of OpenJPA using a release based upon the JPA 2.0 specification level
>>  should upgrade to the OpenJPA 2.2.2 release.  Users needing to stay on
>>  their current release should get the latest code from svn for the
>>  corresponding branch level or apply a source patch and build a new
>>  binary package.  Nightly snapshots of the latest source builds are also
>>  available for many branches.
>> 
>>  OpenJPA release branch levels and corresponding fix revisions:
>> 
>>  OpenJPA 1.0.x revision 1462558:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462558
>>  OpenJPA 1.1.x revision 1462512:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462512
>>  OpenJPA 1.2.x revision 1462488:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462488
>>  OpenJPA 1.3.x revision 1462328:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462328
>>  OpenJPA 2.0.x revision 1462318:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462318
>>  OpenJPA 2.1.x revision 1462268:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462268
>>  OpenJPA 2.2.1.x revision 1462225:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462225
>>  OpenJPA 2.2.x revision 1462076:
>>  http://svn.apache.org/viewvc?view=revision&revision=1462076
>> 
>>  Example: An attacker creates a customized serialization of an OpenJPA
>>  object.  The attacker exploits an unprotected server program to execute
>>  the object.  The object includes logic that results in malicious trace
>>  being written to a file, such as a JSP.  The file containing malicious
>>  commands is written to a potentially vulnerable area of the system.  The
>>  attacker exploits a second unprotected server program to execute the
>>  file and gain access to the system.
>> 
>>  Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
>>  -----BEGIN PGP SIGNATURE-----
>>  Version: GnuPG v2.0.20 (MingW32)
>>  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>>  iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
>>  bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
>>  Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
>>  3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
>>  M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
>>  1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
>>  tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
>>  OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
>>  rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
>>  IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
>>  DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
>>  7iGIxMiN7yJ14RZoDsKw
>>  =LVgy
>>  -----END PGP SIGNATURE-----
>> 
>> 
>

Re: [CVE-2013-1768] Apache OpenJPA security vulnerability

Posted by Romain Manni-Bucau <rm...@gmail.com>.

Hi

TomEE trunk relies on openjpa snapshot

With such an issue wonder of an early release (maybe a beta?)

Wdyt?
Le 12 juin 2013 21:33, "Jeremy Bauer" <jr...@apache.org> a écrit :

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2013-1768: Apache OpenJPA security vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
> OpenJPA 1.0.0 to 1.0.4
> OpenJPA 1.1.0
> OpenJPA 1.3.0
> OpenJPA 1.2.0 to 1.2.2
> OpenJPA 2.0.0 to 2.0.1
> OpenJPA 2.1.0 to 2.1.1
> OpenJPA 2.2.0 to 2.2.1
>
> Description: Deserialization of a maliciously crafted OpenJPA object can
> result in an executable file being written to the file system. An
> attacker needs to discover an unprotected server program to exploit the
> vulnerability.  It then needs to exploit another unprotected server
> program to execute the file and gain access to the system.  OpenJPA
> usage by itself does not introduce the vulnerability.
>
> Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
> specification level should upgrade to the OpenJPA 1.2.3 release.  Users
> of OpenJPA using a release based upon the JPA 2.0 specification level
> should upgrade to the OpenJPA 2.2.2 release.  Users needing to stay on
> their current release should get the latest code from svn for the
> corresponding branch level or apply a source patch and build a new
> binary package.  Nightly snapshots of the latest source builds are also
> available for many branches.
>
> OpenJPA release branch levels and corresponding fix revisions:
>
> OpenJPA 1.0.x revision 1462558:
> http://svn.apache.org/viewvc?view=revision&revision=1462558
> OpenJPA 1.1.x revision 1462512:
> http://svn.apache.org/viewvc?view=revision&revision=1462512
> OpenJPA 1.2.x revision 1462488:
> http://svn.apache.org/viewvc?view=revision&revision=1462488
> OpenJPA 1.3.x revision 1462328:
> http://svn.apache.org/viewvc?view=revision&revision=1462328
> OpenJPA 2.0.x revision 1462318:
> http://svn.apache.org/viewvc?view=revision&revision=1462318
> OpenJPA 2.1.x revision 1462268:
> http://svn.apache.org/viewvc?view=revision&revision=1462268
> OpenJPA 2.2.1.x revision 1462225:
> http://svn.apache.org/viewvc?view=revision&revision=1462225
> OpenJPA 2.2.x revision 1462076:
> http://svn.apache.org/viewvc?view=revision&revision=1462076
>
> Example: An attacker creates a customized serialization of an OpenJPA
> object.  The attacker exploits an unprotected server program to execute
> the object.  The object includes logic that results in malicious trace
> being written to a file, such as a JSP.  The file containing malicious
> commands is written to a potentially vulnerable area of the system.  The
> attacker exploits a second unprotected server program to execute the
> file and gain access to the system.
>
> Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.20 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
> bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
> Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
> 3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
> M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
> 1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
> tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
> OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
> rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
> IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
> DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
> 7iGIxMiN7yJ14RZoDsKw
> =LVgy
> -----END PGP SIGNATURE-----
>
>