Bug 917084 (CVE-2013-0253) - CVE-2013-0253 maven-wagon: all SSL certificate checking is disabled by default
Summary: CVE-2013-0253 maven-wagon: all SSL certificate checking is disabled by default
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0253
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 917086 923437 923438
Blocks: 917089 925799
TreeView+ depends on / blocked
 
Reported: 2013-03-01 16:23 UTC by Vincent Danen
Modified: 2021-02-17 07:59 UTC (History)
13 users (show)

Fixed In Version: maven 3.0.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-05 04:07:26 UTC


Attachments (Terms of Use)
diff -u -r apache-maven-3.0.4 apache-maven-3.0.5 (22.26 KB, patch)
2013-03-07 06:30 UTC, Mikolaj Izdebski
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0700 0 normal SHIPPED_LIVE Moderate: jenkins security update 2013-04-02 23:55:46 UTC

Description Vincent Danen 2013-03-01 16:23:28 UTC
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure SSL mode by default. This mode disables all SSL certificate checking, including: host name verification , date validity, and certificate chain. Not validating the certificate introduces the possibility of a man-in-the-middle attack.

Version 3.0.5 corrects this flaw.


External References:

https://maven.apache.org/security.html

Comment 1 Vincent Danen 2013-03-01 16:24:56 UTC
Created maven tracking bugs for this issue

Affects: fedora-all [bug 917086]

Comment 2 Mikolaj Izdebski 2013-03-01 16:33:32 UTC
As far as I know this does not affect any version Fedora.
This is a bug in maven-wagon package, not maven.
Fedora uses maven-wagon 1.0 which is unaffected by this vulnerability.

Please confirm if the above statement is true. I don't want to introduce needless major version bump (maven-wagon 1.0 to 2.4) in stable releases (such as Fedora 17 or Fedora 18).

Comment 3 Vincent Danen 2013-03-06 17:48:13 UTC
It sounds as though it's a combination of Maven 3.0.4 and Maven Wagon 2.x but I can't be 100% sure (and as per your comment in the fedora tracking bug, I don't have a reproducer although I suspect if you pointed it a host with an invalid certificate you would know (or have the cert specified for host.com and point Maven to cname.com (cname for host.com) so that Maven is connecting to cname.com with a certificate specifying host.com) would be sufficient to check.

The bug was more to bump Maven to 3.0.5 (from 3.0.4) and not necessarily also bump Maven Wagon (as the flaw is noted as being introduced in 3.0.4, I suspect the flaw is more in Maven than Maven Wagon).  Bumping Maven to 3.0.5 across all versions of Fedora and leaving Maven Wagon untouched (keep it at 1.0) should be sufficient to correct this.

Comment 4 Mikolaj Izdebski 2013-03-07 06:30:33 UTC
Created attachment 706362 [details]
diff -u -r apache-maven-3.0.4 apache-maven-3.0.5

There is no code difference between Maven 3.0.4 and 3.0.5. I attached diff -r between maven 3.0.4 and 3.0.5 tarballs. The diff contains basically version bump from 3.0.4 to 3.0.5, documentation changes (which don't affect runtime) and changed maven-wagon dependency from 2.2 to 2.4. There is no direct fix for any security bug.

The vulnerability itself was present in maven-wagon 2.x < 2.4. In Fedora we never had such versions of maven-wagon. In Fedora 19 it was updated from 1.0 directly to 2.4, skipping all affected versions. Fedora 17 and 18 we still have version 1.0, which is unaffected.

(In reply to comment #3)
> The bug was more to bump Maven to 3.0.5 (from 3.0.4) and not necessarily
> also bump Maven Wagon (as the flaw is noted as being introduced in 3.0.4, I
> suspect the flaw is more in Maven than Maven Wagon).  Bumping Maven to 3.0.5
> across all versions of Fedora and leaving Maven Wagon untouched (keep it at
> 1.0) should be sufficient to correct this.

It's exactly the opposite. The bug is in Maven Wagon. It would be enough to update Maven Wagon, there is no need for updating Maven itself. (Combination of Maven 3.0.5 and Maven Wagon 2.2 is vulnerable, while Maven 3.0.4 and Maven Wagon 1.0 or 2.4 are not). The attached diff shows that there are no semantic changes in Maven 3.0.5.

Comment 6 Vincent Danen 2013-03-13 16:35:53 UTC
(In reply to comment #4)
...
> It's exactly the opposite. The bug is in Maven Wagon. It would be enough to
> update Maven Wagon, there is no need for updating Maven itself. (Combination
> of Maven 3.0.5 and Maven Wagon 2.2 is vulnerable, while Maven 3.0.4 and
> Maven Wagon 1.0 or 2.4 are not). The attached diff shows that there are no
> semantic changes in Maven 3.0.5.

Thanks for this.  I wish that upstream had been a bit clearer as to where the problem really was.  Thanks for taking the time to do this analysis.

Comment 11 Arun Babu Neelicattu 2013-03-15 02:26:45 UTC
This issue can be isolated to the (org.apache.maven.wagon, wagon-http-shared4) artifacts. All versions in (2.1,2.2,2.3) are vulnerable.

Comment 17 errata-xmlrpc 2013-04-02 19:56:33 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0700 https://rhn.redhat.com/errata/RHSA-2013-0700.html

Comment 18 Kurt Seifried 2013-04-05 04:07:26 UTC
This has been addressed in all products, CLOSEing as per SRT guidelines.


Note You need to log in before you can comment on or make changes to this bug.