XML Deserialization vulnerability in BeanXMLByteCoder

[2ha0yuk7on]

vulnerability location: ca.odell.glazedlists.impl.io.BeanXMLByteCoder

BeanXMLByteCoder class provides decode() method to decode the Object from a InputStream.

When the decode() method is called, the program will call XMLDecoder.readObject() to parse the XML string without any check, which causing a XML Deserialization vulnerability.

ca.odell.glazedlists.impl.io.BeanXMLByteCoder#decode

attack payload:

<java>
	<object class="java.lang.ProcessBuilder">
		<array class="java.lang.String" length="1">
			<void index="0"><string>calc</string></void>
		</array>
		<void method="start"></void>
	</object>
</java>

use a little program to test.

os: windows 10
jdk: 1.8.0_111
glazedlists: 1.11.0

[hbrands]

Thanks for reporting the issue to us.
BeanXMLByterCoder is a small adapter for the XMLDecoder and XMLEncoder classes from the standard Java API.
As you point out, the security issue is located in the XMLDecoder.readObject method when reading from an untrusted input source.
As far as I can see, BeanXMLByterCoder is part of the GlazedList IO extension, but is not used actively in the code base.
A GlazedLists user using BeanXMLByterCoder should only deserialize from trusted input sources.

Please note, that the Glazed Lists IO extension is deprecated and will be removed from the next major version of Glazed Lists.
But even if BeanXMLByterCoder is removed, the vulnerability is still there in XMLDecoder. That's nothing we can do about.

[ashish9889]

Hi,
By when can we expect the updated vulenerability free version of library?
If at all we are working on fixing this.

[hmekni]

Hello,

I'm facing the same vulnerability after running a BlackDuck scan, any due date for the new release?

Thanks in advance.