[CVE-2019-11404][SECURITY] Releases are built/executed/released in the context of insecure/untrusted code #1310
Comments
|
Fixed on master in 74198da. Thanks for the heads-up @JLLeitschuh !!! |
|
I am not familiar with any of the security procedures you've just mentioned. The dependencies seem to be used for pre-release versions of Kotlin and Arrow, which makes the set of vulnerable versions limited to SNAPSHOTS and binaries such as Ank. |
When Gradle downloads artifacts, they are stored in the Also, depending upon where the MITM is occurring, the repository requests that are higher in the list could have been intentionally blocked to force the build to try the insecure repository.
You can file for a CVE here: If anyone who is a part of the arrow organization works for a CNA they can file for a CVE faster through them. Here is the CNA list: |
|
CI builds our artifacts from scratch, spinning up a new image for each and re-downloading the dependencies. There's no caching involved, so there's none of those risks. Our dependencies are also pinned to a specific version, with pre-releases clearly suffixed "-rc" or similar. |
|
I'm not for opening a CVE, maybe @raulraja feels otherwise. |
|
@pakoito I'm not opposed to a CVE, but also not interested in going through the trouble given you already addressed those concerns with your comments. |
You're probably fine then. Thank you all. |
I'm sorry, but I need to take this back. This probably does need a CVE assigned to it. I'm happy to file if you need me to. Since the Kotlin compiler is downloaded insecurely, it could have been used to maliciously compromise the released build artifacts. Given that repositories are resolved in the order they are listed, the insecure repository had the chance to be used to resolve various artifacts insecurely, thus exposing the Here's a similar CVE for Eclipse hawkBit that was requested by Wayne Beaton of the Eclipse Security Team due to my discovering this vulnerability in several of the Eclipse repositories. |
|
Go for it |
|
@pakoito Just a heads up, you don't have version 0.9.0 published to Maven central yet. https://search.maven.org/artifact/io.arrow-kt/arrow-core/0.8.2/jar |
|
@raulraja Was there a rename? This is the library list I'm looking at: Also, you have another project vulnerable: |
|
I've filed for the CVE numbers. Will update this issue when I have them. |
|
There was a rename of artifacts before 0.9.0 but the group-id is the same. |
JLLeitschuh
changed the title
|
The CVE number for the vulnerability has been assigned. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11404 |
|
As the CVE is now filed, I'm going to consider this issue closed, pleasure working with all of you. |
|
Thank you for doing due diligence on this topic. |
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.
This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
This isn't just theoretical
POC code exists already to maliciously compromise a JAR file inflight.
See:
MITM Attacks Increasingly Common
See:
Source Locations
arrow/build.gradle
Line 42 in b789243
arrow/build.gradle
Lines 72 to 73 in b789243
The text was updated successfully, but these errors were encountered: