Java (Maven): Use of insecure protocol to download/upload artifacts #21
Assignees
Labels
All For One
Submissions to the All for One, One for All bounty
High
Bounty entry rated as High
PR merged
CodeQL team just merge the contribution
Reviewed by the Lab 🧪
GH Security Lab has rate the contribution
Comments
JLLeitschuh
added
the
All For One
nicowaisman
added
the
Reviewed by the Lab 🧪
|
Currently, working on a draft for an article titled 'Update: Want to take over the Java ecosystem? All you need is a MITM!' which will mention this new QL query. |
nicowaisman
added
PR merged
|
Merged! 😄 |
|
High severity-ranking |
|
Shared to twitter here: https://twitter.com/JLLeitschuh/status/1207402070007066624?s=20 Thanks GitHub Team! Pleasure working with you as always! |
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/p/d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
sschuberth
pushed a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 16, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/p/d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
This was referenced Feb 12, 2020
julianladisch
added a commit
to julianladisch/mod-agreements
that referenced
this issue
May 6, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability. Unencrypted http allows an attacker to run a Machine-in-the-Middle (MitM) attack that replaces the content downloaded during the build by malware. Such attacks against unencrypted maven repositories are well-known since 2019: github/securitylab#21 For this reason maven disabled unencrypted http by default since 2021: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
ianibo
pushed a commit
to folio-org/mod-agreements
that referenced
this issue
May 9, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability. Unencrypted http allows an attacker to run a Machine-in-the-Middle (MitM) attack that replaces the content downloaded during the build by malware. Such attacks against unencrypted maven repositories are well-known since 2019: github/securitylab#21 For this reason maven disabled unencrypted http by default since 2021: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Published Research
Want to take over the Java ecosystem? All you need is a MITM!
CVE ID(s)
There are other projects without CVE numbers that need assignment still:
https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit#gid=0
Report
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check
At the beginning of 2019, I began a multi-month long research project into the use of HTTP instead of HTTPS across the Java ecosystem. I found that many of the most popular projects in the ecosystem were using HTTP to resolve and upload artifacts that those projects downloaded and built.
This included projects such as these:
As part of this research, I reached out to many of the most popular artifact servers in the Java ecosystem and asked them to join an initiative to formally decommission the use of HTTP on January 15th, 2020.
The links to the announcements by these organizations can be found here.
At the time, the team at Sonatype Maven Central let me know that after analyzing their traffic for a month, they determined that 25% of their downloads still used HTTP instead of HTTPS.
I already have, but would post an updated post after this was merged.
Query
Unfortunately, since QL doesn't allow me to create querries against Gradle build logic yet, I'm only currently able to support Maven Pom XML files. However, this should still cover ~50% of the entire Java build tool ecosystem.
github/codeql#2413
The text was updated successfully, but these errors were encountered: