Bug 1393454 (CVE-2016-1000031)

Summary: CVE-2016-1000031 Apache Commons FileUpload: DiskFileItem file manipulation
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, aileenc, alazarot, alee, aszczucz, ataylor, bdawidow, carnil, chazlett, coolsvap, csutherl, dandread, dereed, dmcphers, epp-bugs, etirelli, felias, fnasser, ganandan, gvarsami, hfnukal, huwang, ivan.afonichev, java-sig-commits, jcoleman, jerboaa, jialiu, jochrist, jokerman, jolee, jpallich, jshepherd, jwon, kconner, krzysztof.daniel, kseifried, kverlaen, ldimaggi, lgao, lmeyer, lpetrovi, mbaluch, miburman, mizdebsk, mmccomas, mmraka, msimacek, mweiler, mwinkler, myarboro, nwallace, pavelp, rrajasek, rwagner, rzhang, sardella, SpikeFedora, spinder, tcunning, theute, tiwillia, tkirby, trick, twalsh, vhalbert, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-09 15:22:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1393687    

Description Andrej Nemec 2016-11-09 15:20:38 UTC
There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of the FileUpload library.

External References:

http://www.tenable.com/security/research/tra-2016-12

Comment 5 Jason Shepherd 2016-11-11 04:06:31 UTC
We agree with Apache's assessment that this does not represent a valid vulnerability in the Commons File Upload library. We have previously written about Java deserialization flaws in a Security Blog post, and encourage anyone interested in this flaw to read more our stance here:

https://access.redhat.com/blogs/766093/posts/2361811

We encourage customers developing applications in Java to assess their use of Java serialization, to ensure they add authentication, and authorization to endpoints which accept data for deserialization. If that application accepts untrusted data for deserialization, and the Commons File Upload library is available on the classpath, it could be exposed to this issue. We consider the vulnerability to be with deseriazliation of untrusted data.