You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@roller.apache.org by Slawomir Jasek <sl...@securing.pl> on 2012/01/11 13:07:26 UTC

Security of external libraries?

Hello,


I believe Roller-5.0.0 is bundled with:
Struts-2.1.1
Spring-2.5.6

There are some security vulnerabilities known in these versions:

http://struts.apache.org/2.x/docs/s2-006.html
http://struts.apache.org/2.x/docs/s2-007.html
http://struts.apache.org/2.x/docs/s2-008.html

http://www.springsource.com/security/spring-framework

And some of them are marked as serious.


Could you please explain me if these vulnerabilities have any chance to
be exploited in Roller? Unfortunatelly I am not a programmer, and can
not deduce it from source code.

Would you be so nice to check btw if Roller-4.0.1, bundled with
Struts-2.0.9 (which has even more security vulnerabilities), is also
endangered? The most disturbing is

http://struts.apache.org/2.x/docs/s2-005.html

which I believe allows among others for unrestricted static java code
execution (for example with java.lang.Runtime exec()) with just single
crafted URL.


Do you follow any security procedures of upgrading external
libraries/frameworks? Do you issue any kind of Security Bulettin in such
cases?



best regards
Slawomir Jasek

Re: Security of external libraries?

Posted by Slawomir Jasek <sl...@securing.pl>.

On 14/01/12 20:52, David Johnson wrote:
> I've moved to newer versions of Struts and Spring to avoid the problems mentioned below.

Thank you for your answer.

> I'll see about putting together a 5.0.1 release to get these fixes out there. I'm willing to volunteer as release manager. As for 4.0: I'm not willing to volunteer for any 4.0 work.

About the old 4.0 version: my intention was not to induce a fix for the
old release, but rather to check if a security advisory would be
relevant. I can imagine there are still sites running 4.0, and it would
be crucial for them to know if someone can hack them.

I believe Apache Software Fundation has some procedures related to
security bullettins and ways of fixing security related bugs. Common
sense tells us the most important is to withhold public disclosure of
the details (allowing the bad guys to exploit it), as long as possible.
And of course release an upgrade advisory to all users.

My previous question concerning procedures should rather be: is there
any developer keeping track and taking care of external libraries' security?

best regards
Slawomir Jasek

Re: Security of external libraries?

Posted by David Johnson <sn...@gmail.com>.

I've moved to newer versions of Struts and Spring to avoid the problems mentioned below.

In the Roller 5.0 branch:
   http://svn.apache.org/viewvc?view=revision&revision=1231571

And the Roller trunk
   http://svn.apache.org/viewvc?view=revision&revision=1231565

I'll see about putting together a 5.0.1 release to get these fixes out there. I'm willing to volunteer as release manager. As for 4.0: I'm not willing to volunteer for any 4.0 work.

- Dave


On Jan 11, 2012, at 7:07 AM, Slawomir Jasek wrote:

> Hello,
> 
> 
> I believe Roller-5.0.0 is bundled with:
> Struts-2.1.1
> Spring-2.5.6
> 
> There are some security vulnerabilities known in these versions:
> 
> http://struts.apache.org/2.x/docs/s2-006.html
> http://struts.apache.org/2.x/docs/s2-007.html
> http://struts.apache.org/2.x/docs/s2-008.html
> 
> http://www.springsource.com/security/spring-framework
> 
> And some of them are marked as serious.
> 
> 
> Could you please explain me if these vulnerabilities have any chance to
> be exploited in Roller? Unfortunatelly I am not a programmer, and can
> not deduce it from source code.
> 
> Would you be so nice to check btw if Roller-4.0.1, bundled with
> Struts-2.0.9 (which has even more security vulnerabilities), is also
> endangered? The most disturbing is
> 
> http://struts.apache.org/2.x/docs/s2-005.html
> 
> which I believe allows among others for unrestricted static java code
> execution (for example with java.lang.Runtime exec()) with just single
> crafted URL.
> 
> 
> Do you follow any security procedures of upgrading external
> libraries/frameworks? Do you issue any kind of Security Bulettin in such
> cases?
> 
> 
> 
> best regards
> Slawomir Jasek

Re: Security of external libraries?

Posted by David Johnson <sn...@gmail.com>.

On Jan 11, 2012, at 7:07 AM, Slawomir Jasek wrote:
> I believe Roller-5.0.0 is bundled with:
> Struts-2.1.1
> Spring-2.5.6
> 
> There are some security vulnerabilities known in these versions:
> 
> http://struts.apache.org/2.x/docs/s2-006.html
> http://struts.apache.org/2.x/docs/s2-007.html
> http://struts.apache.org/2.x/docs/s2-008.html
> 
> http://www.springsource.com/security/spring-framework

> And some of them are marked as serious.
> 
> Could you please explain me if these vulnerabilities have any chance to
> be exploited in Roller? Unfortunatelly I am not a programmer, and can
> not deduce it from source code.
> 
> Would you be so nice to check btw if Roller-4.0.1, bundled with
> Struts-2.0.9 (which has even more security vulnerabilities), is also
> endangered? The most disturbing is
> 
> http://struts.apache.org/2.x/docs/s2-005.html
> 
> which I believe allows among others for unrestricted static java code
> execution (for example with java.lang.Runtime exec()) with just single
> crafted URL.
> 
> Do you follow any security procedures of upgrading external
> libraries/frameworks? Do you issue any kind of Security Bulettin in such
> cases?

It's possible that those library vulnerabilities could be exploited, but I can't be sure without further investigation. The safest thing to do is probably to switch out those libraries for the newer security-fixed versions. I'll check to see if that can be done fairly easily.

I'm not aware of a relevant security procedure, but I'll do some research and see if there is a policy or procedure that we should be following.

- Dave