Bug 1393454 (CVE-2016-1000031) - CVE-2016-1000031 Apache Commons FileUpload: DiskFileItem file manipulation
Summary: CVE-2016-1000031 Apache Commons FileUpload: DiskFileItem file manipulation
Status: CLOSED NOTABUG
Alias: CVE-2016-1000031
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160420,repor...
Keywords: Security
Depends On:
Blocks: 1393687
TreeView+ depends on / blocked
 
Reported: 2016-11-09 15:20 UTC by Andrej Nemec
Modified: 2019-06-13 14:45 UTC (History)
67 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-09 15:22:35 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-11-09 15:20:38 UTC
There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of the FileUpload library.

External References:

http://www.tenable.com/security/research/tra-2016-12

Comment 5 Jason Shepherd 2016-11-11 04:06:31 UTC
We agree with Apache's assessment that this does not represent a valid vulnerability in the Commons File Upload library. We have previously written about Java deserialization flaws in a Security Blog post, and encourage anyone interested in this flaw to read more our stance here:

https://access.redhat.com/blogs/766093/posts/2361811

We encourage customers developing applications in Java to assess their use of Java serialization, to ensure they add authentication, and authorization to endpoints which accept data for deserialization. If that application accepts untrusted data for deserialization, and the Commons File Upload library is available on the classpath, it could be exposed to this issue. We consider the vulnerability to be with deseriazliation of untrusted data.


Note You need to log in before you can comment on or make changes to this bug.