Bug 1393454 (CVE-2016-1000031)
Summary: | CVE-2016-1000031 Apache Commons FileUpload: DiskFileItem file manipulation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, aileenc, alazarot, alee, aszczucz, ataylor, bdawidow, carnil, chazlett, coolsvap, csutherl, dandread, dereed, dmcphers, epp-bugs, etirelli, felias, fnasser, ganandan, gvarsami, hfnukal, huwang, ivan.afonichev, java-sig-commits, jcoleman, jerboaa, jialiu, jochrist, jokerman, jolee, jpallich, jshepherd, jwon, kconner, krzysztof.daniel, kseifried, kverlaen, ldimaggi, lgao, lmeyer, lpetrovi, mbaluch, miburman, mizdebsk, mmccomas, mmraka, msimacek, mweiler, mwinkler, myarboro, nwallace, pavelp, rrajasek, rwagner, rzhang, sardella, SpikeFedora, spinder, tcunning, theute, tiwillia, tkirby, trick, twalsh, vhalbert, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-09 15:22:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1393687 |
Description
Andrej Nemec
2016-11-09 15:20:38 UTC
We agree with Apache's assessment that this does not represent a valid vulnerability in the Commons File Upload library. We have previously written about Java deserialization flaws in a Security Blog post, and encourage anyone interested in this flaw to read more our stance here: https://access.redhat.com/blogs/766093/posts/2361811 We encourage customers developing applications in Java to assess their use of Java serialization, to ensure they add authentication, and authorization to endpoints which accept data for deserialization. If that application accepts untrusted data for deserialization, and the Commons File Upload library is available on the classpath, it could be exposed to this issue. We consider the vulnerability to be with deseriazliation of untrusted data. |