Bug 917084 - (CVE-2013-0253) CVE-2013-0253 maven-wagon: all SSL certificate checking is disabled by default
CVE-2013-0253 maven-wagon: all SSL certificate checking is disabled by default
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130223,repor...
: Security
Depends On: 917086 923437 923438
Blocks: 917089 925799
  Show dependency treegraph
 
Reported: 2013-03-01 11:23 EST by Vincent Danen
Modified: 2013-04-05 00:07 EDT (History)
13 users (show)

See Also:
Fixed In Version: maven 3.0.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-05 00:07:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
diff -u -r apache-maven-3.0.4 apache-maven-3.0.5 (22.26 KB, patch)
2013-03-07 01:30 EST, Mikolaj Izdebski
no flags Details | Diff

  None (edit)
Description Vincent Danen 2013-03-01 11:23:28 EST
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure SSL mode by default. This mode disables all SSL certificate checking, including: host name verification , date validity, and certificate chain. Not validating the certificate introduces the possibility of a man-in-the-middle attack.

Version 3.0.5 corrects this flaw.


External References:

https://maven.apache.org/security.html
Comment 1 Vincent Danen 2013-03-01 11:24:56 EST
Created maven tracking bugs for this issue

Affects: fedora-all [bug 917086]
Comment 2 Mikolaj Izdebski 2013-03-01 11:33:32 EST
As far as I know this does not affect any version Fedora.
This is a bug in maven-wagon package, not maven.
Fedora uses maven-wagon 1.0 which is unaffected by this vulnerability.

Please confirm if the above statement is true. I don't want to introduce needless major version bump (maven-wagon 1.0 to 2.4) in stable releases (such as Fedora 17 or Fedora 18).
Comment 3 Vincent Danen 2013-03-06 12:48:13 EST
It sounds as though it's a combination of Maven 3.0.4 and Maven Wagon 2.x but I can't be 100% sure (and as per your comment in the fedora tracking bug, I don't have a reproducer although I suspect if you pointed it a host with an invalid certificate you would know (or have the cert specified for host.com and point Maven to cname.com (cname for host.com) so that Maven is connecting to cname.com with a certificate specifying host.com) would be sufficient to check.

The bug was more to bump Maven to 3.0.5 (from 3.0.4) and not necessarily also bump Maven Wagon (as the flaw is noted as being introduced in 3.0.4, I suspect the flaw is more in Maven than Maven Wagon).  Bumping Maven to 3.0.5 across all versions of Fedora and leaving Maven Wagon untouched (keep it at 1.0) should be sufficient to correct this.
Comment 4 Mikolaj Izdebski 2013-03-07 01:30:33 EST
Created attachment 706362 [details]
diff -u -r apache-maven-3.0.4 apache-maven-3.0.5

There is no code difference between Maven 3.0.4 and 3.0.5. I attached diff -r between maven 3.0.4 and 3.0.5 tarballs. The diff contains basically version bump from 3.0.4 to 3.0.5, documentation changes (which don't affect runtime) and changed maven-wagon dependency from 2.2 to 2.4. There is no direct fix for any security bug.

The vulnerability itself was present in maven-wagon 2.x < 2.4. In Fedora we never had such versions of maven-wagon. In Fedora 19 it was updated from 1.0 directly to 2.4, skipping all affected versions. Fedora 17 and 18 we still have version 1.0, which is unaffected.

(In reply to comment #3)
> The bug was more to bump Maven to 3.0.5 (from 3.0.4) and not necessarily
> also bump Maven Wagon (as the flaw is noted as being introduced in 3.0.4, I
> suspect the flaw is more in Maven than Maven Wagon).  Bumping Maven to 3.0.5
> across all versions of Fedora and leaving Maven Wagon untouched (keep it at
> 1.0) should be sufficient to correct this.

It's exactly the opposite. The bug is in Maven Wagon. It would be enough to update Maven Wagon, there is no need for updating Maven itself. (Combination of Maven 3.0.5 and Maven Wagon 2.2 is vulnerable, while Maven 3.0.4 and Maven Wagon 1.0 or 2.4 are not). The attached diff shows that there are no semantic changes in Maven 3.0.5.
Comment 6 Vincent Danen 2013-03-13 12:35:53 EDT
(In reply to comment #4)
...
> It's exactly the opposite. The bug is in Maven Wagon. It would be enough to
> update Maven Wagon, there is no need for updating Maven itself. (Combination
> of Maven 3.0.5 and Maven Wagon 2.2 is vulnerable, while Maven 3.0.4 and
> Maven Wagon 1.0 or 2.4 are not). The attached diff shows that there are no
> semantic changes in Maven 3.0.5.

Thanks for this.  I wish that upstream had been a bit clearer as to where the problem really was.  Thanks for taking the time to do this analysis.
Comment 11 Arun Babu Neelicattu 2013-03-14 22:26:45 EDT
This issue can be isolated to the (org.apache.maven.wagon, wagon-http-shared4) artifacts. All versions in (2.1,2.2,2.3) are vulnerable.
Comment 17 errata-xmlrpc 2013-04-02 15:56:33 EDT
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0700 https://rhn.redhat.com/errata/RHSA-2013-0700.html
Comment 18 Kurt Seifried 2013-04-05 00:07:26 EDT
This has been addressed in all products, CLOSEing as per SRT guidelines.

Note You need to log in before you can comment on or make changes to this bug.