Bug 1837444 (CVE-2020-1945) - CVE-2020-1945 ant: insecure temporary file vulnerability
Summary: CVE-2020-1945 ant: insecure temporary file vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1945
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1837445 1837446 1843538 1843539 1843540 1843541 1843542 1904306 1904307 1904308 1914101 1922554
Blocks: 1837447
TreeView+ depends on / blocked
 
Reported: 2020-05-19 13:22 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-14 16:40 UTC (History)
83 users (show)

See Also:
Fixed In Version: ant 1.9.15, ant 1.10.8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-19 05:20:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2618 0 None None None 2020-06-19 01:39:52 UTC
Red Hat Product Errata RHSA-2020:4960 0 None None None 2020-11-05 18:47:46 UTC
Red Hat Product Errata RHSA-2020:4961 0 None None None 2020-11-05 18:49:12 UTC
Red Hat Product Errata RHSA-2021:0423 0 None None None 2021-02-17 19:04:35 UTC
Red Hat Product Errata RHSA-2021:0429 0 None None None 2021-03-03 04:17:40 UTC
Red Hat Product Errata RHSA-2021:0637 0 None None None 2021-03-03 12:27:01 UTC

Description Guilherme de Almeida Suckevicz 2020-05-19 13:22:29 UTC 
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

References:
https://issues.apache.org/jira/browse/RAT-269?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3E
Comment 1 Guilherme de Almeida Suckevicz 2020-05-19 13:23:22 UTC 
Created ant tracking bugs for this issue:

Affects: fedora-all [bug 1837445]


Created ant:1.10/ant tracking bugs for this issue:

Affects: fedora-all [bug 1837446]
Comment 2 Chess Hazlett 2020-05-19 15:14:32 UTC 
Mitigation:

For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.

For versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.
Comment 7 errata-xmlrpc 2020-06-19 01:39:48 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.5.0

Via RHSA-2020:2618 https://access.redhat.com/errata/RHSA-2020:2618
Comment 8 Product Security DevOps Team 2020-06-19 05:20:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1945
Comment 11 errata-xmlrpc 2020-11-05 18:47:41 UTC 
This issue has been addressed in the following products:

  RHDM 7.9.0

Via RHSA-2020:4960 https://access.redhat.com/errata/RHSA-2020:4960
Comment 12 errata-xmlrpc 2020-11-05 18:49:07 UTC 
This issue has been addressed in the following products:

  RHPAM 7.9.0

Via RHSA-2020:4961 https://access.redhat.com/errata/RHSA-2020:4961
Comment 16 Mark Cooper 2020-12-04 05:36:22 UTC 
OpenShift packages a vulnerable version of ant in the following components:
    - OpenShift 3.11, jenkins, ant.jar-1.10.7
    - OpenShift 4.6,  jenkins, ant.jar-1.10.7
    - OpenShift 4.6,  hive-container, ant-1.9.1
Comment 19 errata-xmlrpc 2021-02-17 19:04:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0423 https://access.redhat.com/errata/RHSA-2021:0423
Comment 20 errata-xmlrpc 2021-03-03 04:17:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0429 https://access.redhat.com/errata/RHSA-2021:0429
Comment 21 errata-xmlrpc 2021-03-03 12:26:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637
Comment 22 Przemyslaw Roguski 2021-03-29 13:09:00 UTC 
Statement:

In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.
Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.

[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Note You need to log in before you can comment on or make changes to this bug.