-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java (Maven): Use of insecure protocol to download/upload artifacts #21
Labels
All For One
Submissions to the All for One, One for All bounty
High
Bounty entry rated as High
PR merged
CodeQL team just merge the contribution
Reviewed by the Lab 🧪
GH Security Lab has rate the contribution
Comments
JLLeitschuh
added
the
All For One
Submissions to the All for One, One for All bounty
label
Nov 21, 2019
nicowaisman
added
the
Reviewed by the Lab 🧪
GH Security Lab has rate the contribution
label
Nov 27, 2019
Currently, working on a draft for an article titled 'Update: Want to take over the Java ecosystem? All you need is a MITM!' which will mention this new QL query. |
nicowaisman
added
PR merged
CodeQL team just merge the contribution
and removed
PR merged
CodeQL team just merge the contribution
labels
Dec 16, 2019
Merged! 😄 |
High severity-ranking |
Shared to twitter here: https://twitter.com/JLLeitschuh/status/1207402070007066624?s=20 Thanks GitHub Team! Pleasure working with you as always! |
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 15, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/p/d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
sschuberth
pushed a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 16, 2020
Several Maven repositories have disabled HTTP access for security reasons, see [1] and [2]. To be able to still analyze old Maven projects that use the HTTP URLs automatically create mirrors for those repositories pointing to the HTTPS URLs. Otherwise Maven would abort with an exception as soon as it tries to download an artifact from any of those repositories. [1] github/securitylab#21 [2] https://medium.com/p/d069d253fe23 Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
This was referenced Feb 12, 2020
julianladisch
added a commit
to julianladisch/mod-agreements
that referenced
this issue
May 6, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability. Unencrypted http allows an attacker to run a Machine-in-the-Middle (MitM) attack that replaces the content downloaded during the build by malware. Such attacks against unencrypted maven repositories are well-known since 2019: github/securitylab#21 For this reason maven disabled unencrypted http by default since 2021: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
ianibo
pushed a commit
to folio-org/mod-agreements
that referenced
this issue
May 9, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability. Unencrypted http allows an attacker to run a Machine-in-the-Middle (MitM) attack that replaces the content downloaded during the build by malware. Such attacks against unencrypted maven repositories are well-known since 2019: github/securitylab#21 For this reason maven disabled unencrypted http by default since 2021: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
All For One
Submissions to the All for One, One for All bounty
High
Bounty entry rated as High
PR merged
CodeQL team just merge the contribution
Reviewed by the Lab 🧪
GH Security Lab has rate the contribution
Published Research
Want to take over the Java ecosystem? All you need is a MITM!
CVE ID(s)
There are other projects without CVE numbers that need assignment still:
https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit#gid=0
Report
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check
At the beginning of 2019, I began a multi-month long research project into the use of HTTP instead of HTTPS across the Java ecosystem. I found that many of the most popular projects in the ecosystem were using HTTP to resolve and upload artifacts that those projects downloaded and built.
This included projects such as these:
As part of this research, I reached out to many of the most popular artifact servers in the Java ecosystem and asked them to join an initiative to formally decommission the use of HTTP on January 15th, 2020.
The links to the announcements by these organizations can be found here.
At the time, the team at Sonatype Maven Central let me know that after analyzing their traffic for a month, they determined that 25% of their downloads still used HTTP instead of HTTPS.
I already have, but would post an updated post after this was merged.
Query
Unfortunately, since QL doesn't allow me to create querries against Gradle build logic yet, I'm only currently able to support Maven Pom XML files. However, this should still cover ~50% of the entire Java build tool ecosystem.
github/codeql#2413
The text was updated successfully, but these errors were encountered: