Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java (Maven): Use of insecure protocol to download/upload artifacts #21

Closed
1 task done
JLLeitschuh opened this issue Nov 21, 2019 · 4 comments
Closed
1 task done
Assignees
Labels
All For One Submissions to the All for One, One for All bounty High Bounty entry rated as High PR merged CodeQL team just merge the contribution Reviewed by the Lab 🧪 GH Security Lab has rate the contribution

Comments

@JLLeitschuh
Copy link

Published Research

mitm_build
Want to take over the Java ecosystem? All you need is a MITM!

CVE ID(s)

There are other projects without CVE numbers that need assignment still:
https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit#gid=0

Report

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check

At the beginning of 2019, I began a multi-month long research project into the use of HTTP instead of HTTPS across the Java ecosystem. I found that many of the most popular projects in the ecosystem were using HTTP to resolve and upload artifacts that those projects downloaded and built.

This included projects such as these:

  • Kotlin Compiler
  • Groovy Compiler
  • Jenkins
  • Many JetBrains projects
  • Many Apache projects
  • Many Eclipse projects
  • Gradle building itself

As part of this research, I reached out to many of the most popular artifact servers in the Java ecosystem and asked them to join an initiative to formally decommission the use of HTTP on January 15th, 2020.

  • Sonatype Maven Central
  • JFrog JCenter
  • Gradle
  • Spring

The links to the announcements by these organizations can be found here.

At the time, the team at Sonatype Maven Central let me know that after analyzing their traffic for a month, they determined that 25% of their downloads still used HTTP instead of HTTPS.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I already have, but would post an updated post after this was merged.

Query

Unfortunately, since QL doesn't allow me to create querries against Gradle build logic yet, I'm only currently able to support Maven Pom XML files. However, this should still cover ~50% of the entire Java build tool ecosystem.

github/codeql#2413

@JLLeitschuh JLLeitschuh added the All For One Submissions to the All for One, One for All bounty label Nov 21, 2019
@nicowaisman nicowaisman added the Reviewed by the Lab 🧪 GH Security Lab has rate the contribution label Nov 27, 2019
@JLLeitschuh
Copy link
Author

Currently, working on a draft for an article titled 'Update: Want to take over the Java ecosystem? All you need is a MITM!' which will mention this new QL query.

@nicowaisman nicowaisman added PR merged CodeQL team just merge the contribution and removed PR merged CodeQL team just merge the contribution labels Dec 16, 2019
@JLLeitschuh
Copy link
Author

Merged! 😄

@nicowaisman nicowaisman added the High Bounty entry rated as High label Jan 2, 2020
@xcorail
Copy link
Contributor

xcorail commented Jan 2, 2020

High severity-ranking
Payment order reviewed and 👍
Ready to 💰

@JLLeitschuh
Copy link
Author

Shared to twitter here: https://twitter.com/JLLeitschuh/status/1207402070007066624?s=20

Thanks GitHub Team! Pleasure working with you as always!

mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/@jonathan.leitschuh/update-want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
mnonnenmacher added a commit to oss-review-toolkit/ort that referenced this issue Jan 15, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/p/d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
sschuberth pushed a commit to oss-review-toolkit/ort that referenced this issue Jan 16, 2020
Several Maven repositories have disabled HTTP access for security
reasons, see [1] and [2]. To be able to still analyze old Maven projects
that use the HTTP URLs automatically create mirrors for those
repositories pointing to the HTTPS URLs. Otherwise Maven would abort
with an exception as soon as it tries to download an artifact from any
of those repositories.

[1] github/securitylab#21
[2] https://medium.com/p/d069d253fe23

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@here.com>
@nicowaisman nicowaisman added the PR merged CodeQL team just merge the contribution label Jan 27, 2020
julianladisch added a commit to julianladisch/mod-agreements that referenced this issue May 6, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability.

Unencrypted http allows an attacker to run a
Machine-in-the-Middle (MitM) attack that replaces
the content downloaded during the build by malware.

Such attacks against unencrypted maven repositories are well-known since 2019:
github/securitylab#21

For this reason maven disabled unencrypted http by default since 2021:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
ianibo pushed a commit to folio-org/mod-agreements that referenced this issue May 9, 2021
Replace http by https for maven.k-int.com, fixing MitM vulnerability.

Unencrypted http allows an attacker to run a
Machine-in-the-Middle (MitM) attack that replaces
the content downloaded during the build by malware.

Such attacks against unencrypted maven repositories are well-known since 2019:
github/securitylab#21

For this reason maven disabled unencrypted http by default since 2021:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
All For One Submissions to the All for One, One for All bounty High Bounty entry rated as High PR merged CodeQL team just merge the contribution Reviewed by the Lab 🧪 GH Security Lab has rate the contribution
Projects
None yet
Development

No branches or pull requests

3 participants