[MGNLCACHE-165] CacheEndpoint is potentially vulnerable to RCE Created: 27/Feb/17 Updated: 09/Aug/23 Resolved: 28/Feb/17 |
|
| Status: | Closed |
| Project: | Cache Modules |
| Component/s: | cache browser |
| Affects Version/s: | 5.5.2 |
| Fix Version/s: | 5.5.3 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Ilgun Ilgun | Assignee: | Ilgun Ilgun |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Template: |
|
||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Sprint: | Basel 85 | ||||||||||||||||
| Story Points: | 8 | ||||||||||||||||
| Description |
|
As described in MAGNOLIA-6900, our CacheEndpoint is vulnerable to RCE due to JSON-to-object deserialization—specifically affecting the /delete and /download methods. This is highly mitigated by the fact that anonymous access is denied to /.rest* ootb, but may still be exploited CSRF-style. This issue proposes to implement a custom java.lang.ClassLoader and pass it to com.cedarsoftware.util.io.JsonReader at the time of deserialization. Therefore we have the power to prevent an attack when an unwanted class is tried to be deserialized by the endpoint. We simply make it configurable in JCR and user only has to populate the whitelisted classes to be serialized by the endpoint via info.magnolia.cache.browser.CacheBrowserAppModule and the custom ClassLoader is responsible to handle the rest (to check whether it should be ignored or serialized). |
| Comments |
| Comment by Maxime Michel [ 28/Feb/17 ] |
|
Reopened as this is what I got when I tried to download cached content in the browser: 2017-02-28 13:25:10,435 INFO he.browser.rest.endpoint.WhitelistAwareClassLoader: Serialisation is blocked due to the given class: 'java.util.LinkedHashMap' is not whitelisted and currently whitelisted classes are: '[info.magnolia.module.cache.cachekey.DefaultCacheKey]' |
| Comment by Jan Haderka [ 28/Feb/17 ] |
|
ha, in the original PR I was whitelisting everything from java. and javax. packages by default w/o making it configurable. you might want to do same |
| Comment by Ilgun Ilgun [ 28/Feb/17 ] |
|
Indeed doing it now |
| Comment by Jan Haderka [ 28/Feb/17 ] |
|
I would not. Let's stick to the official APIs. |
| Comment by Ilgun Ilgun [ 28/Feb/17 ] |
|
We need the functionality to like comments here. |