Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java (Maven): Use of insecure protocol to download/upload artifacts #21

Closed
1 task done
JLLeitschuh opened this issue Nov 21, 2019 · 4 comments
Closed
1 task done

Java (Maven): Use of insecure protocol to download/upload artifacts #21

JLLeitschuh opened this issue Nov 21, 2019 · 4 comments
Assignees
Labels
All For One High PR merged Reviewed by the Lab 🧪

Comments

@JLLeitschuh
Copy link

@JLLeitschuh JLLeitschuh commented Nov 21, 2019

Published Research

mitm_build
Want to take over the Java ecosystem? All you need is a MITM!

CVE ID(s)

There are other projects without CVE numbers that need assignment still:
https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit#gid=0

Report

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check

At the beginning of 2019, I began a multi-month long research project into the use of HTTP instead of HTTPS across the Java ecosystem. I found that many of the most popular projects in the ecosystem were using HTTP to resolve and upload artifacts that those projects downloaded and built.

This included projects such as these:

  • Kotlin Compiler
  • Groovy Compiler
  • Jenkins
  • Many JetBrains projects
  • Many Apache projects
  • Many Eclipse projects
  • Gradle building itself

As part of this research, I reached out to many of the most popular artifact servers in the Java ecosystem and asked them to join an initiative to formally decommission the use of HTTP on January 15th, 2020.

  • Sonatype Maven Central
  • JFrog JCenter
  • Gradle
  • Spring

The links to the announcements by these organizations can be found here.

At the time, the team at Sonatype Maven Central let me know that after analyzing their traffic for a month, they determined that 25% of their downloads still used HTTP instead of HTTPS.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I already have, but would post an updated post after this was merged.

Query

Unfortunately, since QL doesn't allow me to create querries against Gradle build logic yet, I'm only currently able to support Maven Pom XML files. However, this should still cover ~50% of the entire Java build tool ecosystem.

github/codeql#2413

@JLLeitschuh JLLeitschuh added the All For One label Nov 21, 2019
@nicowaisman nicowaisman added the Reviewed by the Lab 🧪 label Nov 27, 2019
@JLLeitschuh
Copy link
Author

@JLLeitschuh JLLeitschuh commented Dec 12, 2019

Currently, working on a draft for an article titled 'Update: Want to take over the Java ecosystem? All you need is a MITM!' which will mention this new QL query.

@nicowaisman nicowaisman added PR merged and removed PR merged labels Dec 16, 2019
@JLLeitschuh
Copy link
Author

@JLLeitschuh JLLeitschuh commented Jan 2, 2020

Merged! 😄

@nicowaisman nicowaisman added the High label Jan 2, 2020
@xcorail
Copy link
Contributor

@xcorail xcorail commented Jan 2, 2020

High severity-ranking
Payment order reviewed and 👍
Ready to 💰

@JLLeitschuh
Copy link
Author

@JLLeitschuh JLLeitschuh commented Jan 4, 2020

Shared to twitter here: https://twitter.com/JLLeitschuh/status/1207402070007066624?s=20

Thanks GitHub Team! Pleasure working with you as always!

mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/p/d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
sschuberth pushed a commit to oss-review-toolkit/ort that referenced this issue Jan 16, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/p/d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
@nicowaisman nicowaisman added the PR merged label Jan 27, 2020
julianladisch added a commit to julianladisch/mod-agreements that referenced this issue May 6, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability.

Unencrypted http allows an attacker to run a
Machine-in-the-Middle (MitM) attack that replaces
the content downloaded during the build by malware.

Such attacks against unencrypted maven repositories are well-known since 2019:
github/securitylab#21

For this reason maven disabled unencrypted http by default since 2021:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
ianibo pushed a commit to folio-org/mod-agreements that referenced this issue May 9, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability.

Unencrypted http allows an attacker to run a
Machine-in-the-Middle (MitM) attack that replaces
the content downloaded during the build by malware.

Such attacks against unencrypted maven repositories are well-known since 2019:
github/securitylab#21

For this reason maven disabled unencrypted http by default since 2021:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
All For One High PR merged Reviewed by the Lab 🧪
Projects
None yet
Development

No branches or pull requests

3 participants