You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ant.apache.org by Fortify Open Review Project <fo...@hpe.com> on 2015/11/11 17:02:37 UTC

Fortify Open Review Project - Apache .NET Ant 1.1

Dear Project Manager,





History of Fortify Open Source Review



Since 2001, HP Fortify, the leader in application security testing, has dedicated our market leading Source Code Analyzer (SCA) solution to the advancement and security of Open Source security projects.  Today, as HP Fortify continues its journey, the HP Fortify Open Review team is providing open source project owners a no-cost assessment.  Contributors are provided every opportunity to not only provide the community with great software, but secure software.





Open Source Project / Application Name and release version: Apache .NET Ant 1.1



The HP Fortify Open Review team has assessed Apache .NET Ant 1.1 for possible security vulnerabilities and the results of your assessment is attached.  It is HP's policy to make all results public on our Fortify on Demand website within 60 days from the date of this notification. Based on the findings, we would encourage your team to remediate any of the security vulnerabilities in this report or challenge any finding as a "false positive" by contacting our team with an explanation of why you believe the finding to be false.



To contact to a member of our team, please email us at Fortify-Open-Review@hp.com<ma...@hp.com>.



Additional information about Hewlett-Packard's Fortify Open Review program is available here:



https://hpfod.com/open-source-review-project







What is Fortify on Demand?



HP Fortify on Demand is a managed application security testing service that makes it simple to  initiate security tests on a few applications or launch a comprehensive security program without  upfront investment of technology  and resources. Combining advanced dynamic and static  testing technologies (HP Fortify) with HP's experience in evaluating software security, Fortify on  Demand brings professional-level software security expertise to organizations of any size.



Regards,



The Fortify on Demand Team

(c) 2015 Hewlett-Packard Development Company, L.P.

Re: Fortify Open Review Project - Apache .NET Ant 1.1

Posted by Stefan Bodewig <bo...@apache.org>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2015-11-11, Fortify Open Review Project wrote:

> The HP Fortify Open Review team has assessed Apache .NET Ant 1.1 for
> possible security vulnerabilities and the results of your assessment
> is attached.  It is HP's policy to make all results public on our
> Fortify on Demand website within 60 days from the date of this
> notification.

Since you sent the report to the public dev@ant.apache.org mailing list
the report would already been disclosed if the list was set up to allow
posts by non-subscribers.

Please see <http://ant.apache.org/security.html> and
<http://www.apache.org/security/> for ways to report security
vulnerabilities.

It is the experience of the Apache Software Foundation that
static analysis tools -  including Fortify - generate very large
numbers of false positives and very few - if any - valid vulnerability
reports when run against code. Therefore, the Apache Software
Foundation does not accept any vulnerability reports generated from a
static analysis tool unless that vulnerability report is backed up
with manual analysis that demonstrates how the claimed vulnerability
might be exploited.

The vulnerabilities detected by Fortify for the .NET Antlib are false
positives.

Ant is a tool used to build software projects, given the nature of this
tool, using ant typically the following actions can be taken:
  - file system access, including writing files (as far as permitted to the
user running ant)
  - the execution of executables (as far as permitted to the user running
ant)
  - compilation of new software
  - execution of software compiled using ant

This basically means that using ant it is quite easy to execute arbitrary
executables. The string comparison is not used to prevent (or ensure)
certain binaries are executed. 

In case Ant is used as part of a server process, be aware that by accepting
build files you are basically prone to a open remote code execution
vulnerability. While this may be acceptable for build / continuous
integration servers (probably with some kind of accountability) this would
normally not be acceptable outside a development enivironment.

This implies an attack based on casing errors cannot be considered a
security vulnerability in Ant (as an attacker could easily use ant to
execute random code, including code to starve the CPU, or even to post all
of you files to a newsgroup, building and executing code is core
functionality of ant)

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAlZFo88ACgkQohFa4V9ri3I7TwCgzB2b51seYPgawxwaACiDsS3A
/FEAn1YRe/Yxtag88SXhEfa9mT4IASH/
=NtpI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org