Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1393454 - (CVE-2016-1000031) CVE-2016-1000031 Apache Commons FileUpload: DiskFileItem file manipulation
CVE-2016-1000031 Apache Commons FileUpload: DiskFileItem file manipulation
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160420,repor...
: Security
Depends On:
Blocks: 1393687
  Show dependency treegraph
 
Reported: 2016-11-09 10:20 EST by Andrej Nemec
Modified: 2016-11-11 04:15 EST (History)
66 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-09 10:22:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2016-11-09 10:20:38 EST 
There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of the FileUpload library.

External References:

http://www.tenable.com/security/research/tra-2016-12
Comment 5 Jason Shepherd 2016-11-10 23:06:31 EST 
We agree with Apache's assessment that this does not represent a valid vulnerability in the Commons File Upload library. We have previously written about Java deserialization flaws in a Security Blog post, and encourage anyone interested in this flaw to read more our stance here:

https://access.redhat.com/blogs/766093/posts/2361811

We encourage customers developing applications in Java to assess their use of Java serialization, to ensure they add authentication, and authorization to endpoints which accept data for deserialization. If that application accepts untrusted data for deserialization, and the Commons File Upload library is available on the classpath, it could be exposed to this issue. We consider the vulnerability to be with deseriazliation of untrusted data.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.