Bug 1955739 (CVE-2021-26291)

Summary: CVE-2021-26291 maven: Block repositories using http by default
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, ellin, etirelli, fjuma, ggaughan, gmalinko, gsmet, gvarsami, hamadhan, hbraun, hhorak, ibek, iweiss, janstey, java-maint-sig, java-sig-commits, jcoleman, jnethert, jochrist, jorton, jpallich, jperkins, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, ldimaggi, lgao, lnacshon, lthon, mizdebsk, mnovotny, msochure, msrb, msvehla, mszynkie, neugens, nwallace, pantinor, peholase, pgallagh, pjindal, pmackay, probinso, rguimara, rrajasek, rruss, rstancel, rsvoboda, rwagner, sbiarozk, scorneli, sdouglas, shbose, smaestri, sochotni, tcullum, tcunning, tkirby, tom.jenkinson, tzimanyi, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: maven 3.8.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in maven. Repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 14:08:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1955740, 1959524, 1959525, 1959526, 1959527, 1959528, 1960281    
Bug Blocks: 1955742    

Description Pedro Sampaio 2021-04-30 17:58:30 UTC 
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior.

References:

https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E
https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@%3Cusers.maven.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/04/23/5
https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@%3Cdev.jena.apache.org%3E
https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@%3Cdev.jena.apache.org%3E
Comment 6 Jonathan Christison 2021-05-13 15:05:08 UTC 
Upstream fixing commits: 
MNG-7117: https://github.com/apache/maven/commit/28b4ea92d38365d0f27a5bd044ac4927580147f8
MNG-7116: https://github.com/apache/maven/commit/3b21386c3f1ab85060f6c950fb2fb17123df8647
MNG-7118: https://github.com/apache/maven/commit/67125676eef313e592da6424a9be0c90c5e6bca5
Comment 11 Jonathan Christison 2021-05-19 15:27:37 UTC 
This vulnerability is out of security support scope for the following products:

* Red Hat JBoss BRMS 6 
* Red Hat JBoss SOA Platform 5.

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 17 errata-xmlrpc 2021-10-20 11:30:02 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.3

Via RHSA-2021:3880 https://access.redhat.com/errata/RHSA-2021:3880
Comment 18 Product Security DevOps Team 2021-10-20 14:08:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-26291
Comment 19 errata-xmlrpc 2022-03-22 15:33:59 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
Comment 20 errata-xmlrpc 2022-03-23 08:22:41 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K 1.6.4

Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029
Comment 22 errata-xmlrpc 2023-03-20 09:13:24 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334
Comment 25 errata-xmlrpc 2023-05-17 17:50:28 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
Comment 27 errata-xmlrpc 2024-02-12 10:23:39 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
Comment 28 errata-xmlrpc 2024-02-12 10:36:24 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778