Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java (Maven): Use of insecure protocol to download/upload artifacts #21

Closed
JLLeitschuh opened this issue Nov 21, 2019 · 4 comments
Closed

Java (Maven): Use of insecure protocol to download/upload artifacts #21

JLLeitschuh opened this issue Nov 21, 2019 · 4 comments

Comments

@JLLeitschuh
Copy link

@JLLeitschuh JLLeitschuh commented Nov 21, 2019

Published Research

mitm_build
Want to take over the Java ecosystem? All you need is a MITM!

CVE ID(s)

There are other projects without CVE numbers that need assignment still:
https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit#gid=0

Report

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check

At the beginning of 2019, I began a multi-month long research project into the use of HTTP instead of HTTPS across the Java ecosystem. I found that many of the most popular projects in the ecosystem were using HTTP to resolve and upload artifacts that those projects downloaded and built.

This included projects such as these:

  • Kotlin Compiler
  • Groovy Compiler
  • Jenkins
  • Many JetBrains projects
  • Many Apache projects
  • Many Eclipse projects
  • Gradle building itself

As part of this research, I reached out to many of the most popular artifact servers in the Java ecosystem and asked them to join an initiative to formally decommission the use of HTTP on January 15th, 2020.

  • Sonatype Maven Central
  • JFrog JCenter
  • Gradle
  • Spring

The links to the announcements by these organizations can be found here.

At the time, the team at Sonatype Maven Central let me know that after analyzing their traffic for a month, they determined that 25% of their downloads still used HTTP instead of HTTPS.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I already have, but would post an updated post after this was merged.

Query

Unfortunately, since QL doesn't allow me to create querries against Gradle build logic yet, I'm only currently able to support Maven Pom XML files. However, this should still cover ~50% of the entire Java build tool ecosystem.

Semmle/ql#2413

@JLLeitschuh

This comment has been minimized.

Copy link
Author

@JLLeitschuh JLLeitschuh commented Dec 12, 2019

Currently, working on a draft for an article titled 'Update: Want to take over the Java ecosystem? All you need is a MITM!' which will mention this new QL query.

@nicowaisman nicowaisman added PR merged and removed PR merged labels Dec 16, 2019
@JLLeitschuh

This comment has been minimized.

Copy link
Author

@JLLeitschuh JLLeitschuh commented Jan 2, 2020

Merged! 😄

@nicowaisman nicowaisman added the High label Jan 2, 2020
@xcorail

This comment has been minimized.

Copy link
Contributor

@xcorail xcorail commented Jan 2, 2020

High severity-ranking
Payment order reviewed and 👍
Ready to 💰

@JLLeitschuh

This comment has been minimized.

Copy link
Author

@JLLeitschuh JLLeitschuh commented Jan 4, 2020

Shared to twitter here: https://twitter.com/JLLeitschuh/status/1207402070007066624?s=20

Thanks GitHub Team! Pleasure working with you as always!

mnonnenmacher added a commit to heremaps/oss-review-toolkit that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/security-lab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to heremaps/oss-review-toolkit that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/security-lab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to heremaps/oss-review-toolkit that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/security-lab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to heremaps/oss-review-toolkit that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/security-lab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to heremaps/oss-review-toolkit that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/security-lab#21
[2] https://medium.com/p/d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
sschuberth added a commit to heremaps/oss-review-toolkit that referenced this issue Jan 16, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/security-lab#21
[2] https://medium.com/p/d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.