CVE-2021-27850

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/04/15/1	Exploit Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E	Mailing List Vendor Advisory
https://security.netapp.com/advisory/ntap-20210528-0002/	Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/15/1	Exploit Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E	Mailing List Vendor Advisory
https://security.netapp.com/advisory/ntap-20210528-0002/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tapestry::::::::
	cpe:2.3:a:apache:tapestry::::::::

History

21 Nov 2024, 05:58

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2021/04/15/1 - Exploit, Mailing List, Third Party Advisory~~	() http://www.openwall.com/lists/oss-security/2021/04/15/1 - Exploit, Mailing List, Third Party Advisory
References	~~() https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E - Mailing List, Vendor Advisory~~	() https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E - Mailing List, Vendor Advisory
References	~~() https://security.netapp.com/advisory/ntap-20210528-0002/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20210528-0002/ - Third Party Advisory

Information

Published : 2021-04-15 08:15

Updated : 2024-11-21 05:58

NVD link : CVE-2021-27850

Mitre link : CVE-2021-27850

CVE.ORG link : CVE-2021-27850

JSON object : View

Products Affected

apache

tapestry

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2021-27850", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-04-15T08:15:14.823", "references": [{"url": "http://www.openwall.com/lists/oss-security/2021/04/15/1", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://security.netapp.com/advisory/ntap-20210528-0002/", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2021/04/15/1", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20210528-0002/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-502"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad cr\u00edtica de ejecuci\u00f3n de c\u00f3digo remota no autenticado en todas las versiones recientes de Apache Tapestry. Las versiones afectadas incluyen 5.4.5, 5.5.0, 5.6.2 y 5.7.0. La vulnerabilidad encontrada es un desv\u00edo de la soluci\u00f3n para CVE-2019-0195. Resumen: versiones anteriores a correcci\u00f3n de CVE-2019-0195, era posible descargar archivos de clases arbitrarios desde la ruta de clases proporcionando una URL de archivo de activos dise\u00f1ada. Un atacante pudo descargar el archivo \"AppModule.class\" al requerir la URL \"http://localhost:8080/assets/something/services/AppModule.class\" que contiene una clave secreta HMAC. La correcci\u00f3n para ese error fue un filtro de lista negra que verifica si la URL termina con \".class\",\" properties\" o \".xml\". Omitir: Desafortunadamente, la soluci\u00f3n de lista negra puede simplemente ser omitida al agregar un \"/` al final de la URL: \"http: // localhost:8080/assets/something/services/AppModule.class/\". La barra es eliminada despu\u00e9s de la comprobaci\u00f3n de la lista negra y el archivo` AppModule.class` se carga en la respuesta. Esta clase generalmente contiene la clave secreta HMAC que es usada para firmar objetos Java serializados. Con el conocimiento de esa clave, un atacante puede firmar una cadena de dispositivos Java que conlleva a una RCE (por ejemplo, CommonsBeanUtils1 de ysoserial). Soluci\u00f3n para esta vulnerabilidad: *Para Apache Tapestry versiones 5.4.0 hasta 5.6.1, actualice a versiones 5.6.2 o posteriores. *Para Apache Tapestry versi\u00f3n 5.7.0, actualice a versiones 5.7.1 o posteriores"}], "lastModified": "2024-11-21T05:58:38.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5611789E-E882-49FF-9E33-A8612A394FE5", "versionEndExcluding": "5.6.2", "versionStartIncluding": "5.4.0"}, {"criteria": "cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4709FF63-6606-413B-941E-3E58DDA96203", "versionEndExcluding": "5.7.1", "versionStartIncluding": "5.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

9.8 /10