NEW! Sonatype has launched the Central Security Project. The Central Security Project is a partnership between Sonatype and HackerOne. By bringing Sonatype's superior data research capabilities together with HackerOne's unique reporting platform, we are simplifying the vulnerability reporting process and allowing developers and security researchers to resolve issues faster than ever.
For our March Insight, we'll be covering a component that is a little older, but one of the most popular open source tools in use today. Considering the type of vulnerability the attack vector leverages, use of specific versions of this component could wreak havoc on a database.
Introducing CVE-2014-3483, a SQL injection attack in PostgreSQL adapter in Active Record.
Click on the CVE number or name in the list below to learn more about these vulnerabilities, and what you can do if you're using this component in your code.
In this Nexus Intelligence Insights post, we cover an older but potentially catastrophic vulnerability present in the popular rubygem `activerecord`. Introducing CVE-2014-3483, better known as a PostgreSQL injection vulnerability.
Version(s) starting 4.0.0.beta1 and up to but excluding 4.0.7, and version(s) starting 4.1.0.beta1 and up to but excluding 4.1.3
It is recommended that you upgrade to non-vulnerable versions of the component. Versions 4.0.7 and 4.1.3 releases are available at the normal locations
MitM (Man in the Middle)
This month, we will be covering a component that is a little older, but probably to the surprise of many, very widely used across a variety of ecosystems. Considering the type of vulnerability the attack vector leverages, use of this component could be catastrophic.
Introducing CVE-2014-3603, and the absence of hostname authentication when using OpenSAML.
Identity Provider < 2.4.1, and versions of OpenSAML Java < 2.6.2
If you are using versions of the Identity Provider < 2.4.1, and versions of OpenSAML Java < 2.6.2, upgrade to the version that supports certificate matching: IdP 2.4.1 or greater, OpenSAML Java 2.6.2 or greater. Additionally, there are some workarounds available.
Denial of Service
Apache Batik manipulation that allows a bad actor to create malformed XML in an SVG file in order to create a DoS attack on the server.
Upgrade to Batik version 2.2, where this vulnerability has been fixed.
Embedded malicious code
The news about the event-stream compromise is the latest proof that bad actors are intentionally tainting open source components at the very beginning of the software supply chain so they can efficiently attack production applications in the wild, at the very end of the software supply chain.
Apache Tomcat is vulnerable to Information Disclosure, as it sends the response of a "send file" request (request "A") in response to another request (request "B") that is in the pipeline when the processing of the previous request is completed. An attacker can exploit this vulnerability by sending a request to the targeted system while other requests are being processed. This could allow the attacker to gain sensitive information due to the incorrect response sent when processing of a previous request has completed.
org.apache.tomcat: tomcat-coyote, coyote
org.jboss.web: jbossweb jboss.web:jbossweb
Recommend upgrading to a component version not impacted by this vulnerability.
Unbounded Memory Allocation/Denial of Service attack
Java serialization issues have been around for years, but haven’t really garnered much attention until recently when it became clear that attackers could use vulnerable classes to perform deserialization on untrusted data. Particularly, if the deserialization occurs pre-authentication. Java's type check will ensure you only get valid object trees by strictly validating the expected type. Unfortunately, by the time the type checking completes, compromised platform code could be created and execute significant logic.
By tampering with the request and supplying a request for an abnormally large amount of server memory, the request could overwhelm the server and lead to a denial of service.
Google Guava 11.0 through 24.x before 24.1.1.
Set a limit on the size of the object graph that servers will accept. For Java, narrow the classes that can be deserialized from “any class available” to an application, down to a context-appropriate set of classes.