Tag Archives: Security

Detecting Jackson deserialization vulnerabilities with CodeQL

If you use Jackson Databind library and run a security scanner, you might have received quite a lot of alerts about deserialization vulnerabilities. In the past, a new CVE pop up nearly every month when someone discovered a new deserialization gadget that could be used to exploit an application. Fortunately, the project doesn’t assign CVEs for new deserialization gadgets anymore. It makes sense because an application that uses Jackson libraries is not vulnerable by default. However, if the application uses Jackson libraries in a certain way, it may be in danger.

Below I’ll show how CodeQL can be used to to check whether or not an application is vulnerable to deserialization attacks.

Continue reading

Detecting dangerous RMI objects with CodeQL

Java RMI uses the default Java deserialization mechanism for passing parameters during remote method invocations. In other words, RMI uses ObjectInputStream that is a well-known unsafe deserialization mechanism. If an attacker can find and send a deserialization gadget to a vulnerable remote method, in the worst case it can result in arbitrary code execution.

I recently wrote a CodeQL query that looks for dangerous remote objects registered in an RMI registry. This post describes the vulnerability and how the query works.

Continue reading

WS-2016-7107: CSRF tokens in Spring and the BREACH attack

Recently WhiteSource security scanner started reporting WS-2016-7107 against Spring-based applications. This is an old issue in Spring Security that was reported in 2016. Unfortunately, at the moment of writing it, the issue has not been fixed yet. But there is a pull request that should address it. The problem is that CSRF tokens generated by Spring Security are vulnerable to the BREACH attack. The attack is even older — it was published in 2013. The BREACH attack is similar to the CRIME attack but BREACH doesn’t need TLS compression.

(you can also read it on Medium)

WS-2016-7107: CSRF tokens in Spring and the BREACH attack
Continue reading

Detecting dangerous Spring service exporters with CodeQL

In this blog post, I’ll talk about detecting unsafe Spring Exporters with a CodeQL query. First, I’ll describe the issue that received CVE-2016-1000027. Next, I’ll show what a vulnerable code looks like and how the issue can be mitigated in an application. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.

(you can also read it on Medium)

Detecting dangerous Spring Exporters with CodeQL
Continue reading

Fosstars: a framework for defining ratings for open source projects

I recently wrote a blog post about a project I have been working on at SAP for a year. The project is called Fosstars. It is an open-source Java-based framework for defining ratings that help to assess security, activity and other properties of open source projects. Currently, Fosstars offers a comprehensive security rating that helps to identify open source components that can be a security risk for an application. The blog post describes how Fosstars work:

https://blogs.sap.com/2021/02/09/fosstars-a-framework-for-defining-ratings-for-open-source-projects/

I am planning to write a few more articles. One is going to talk about the security rating in detail, and another one is going to be about calculating security ratings with Fosstars and GitHub actions.

Detecting JEXL injections with CodeQL

In this post, I’ll talk about a CodeQL query for detecting JEXL Expression Language injection vulnerabilities. First, I’ll give a brief overview of expression languages in general and JEXL in particular. Next, I’ll explain what Expression Language injection is and how to prevent it. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.

(you can also read it on Medium)

Detecting JEXL injections with CodeQL
Continue reading

CVE-2020-1925: Requests to arbitrary URLs in Apache Olingo

Some time ago I wrote about unsafe deserialization and DoS vulnerabilities I’ve discovered in Apache Olingo. This post describes one more issue in the library. This time, it’s a little flaw in the Olingo client which may allow sending some HTTP requests to arbitrary URLs. The issue has been fixed in the 4.7.1 release.

In case you don’t know, Apache Olingo is a Java library that implements the Open Data Protocol (OData). This protocol allows the creation and consumption of queryable and interoperable RESTful APIs in a simple way.

CVE-2020-1925: Requests to arbitrary URLs in Apache Olingo
Continue reading

CVE-2019-17556: Unsafe deserialization in Apache Olingo

Some time ago I wrote about one security issue which I found in the library. This post describes another little vulnerability in Apache Olingo. The issue has been fixed in the 4.7.0 release as well.

By the way, Apache Olingo is a Java library that implements the Open Data Protocol (OData). This protocol allows the creation and consumption of queryable and interoperable RESTful APIs in a simple way.

CVE-2019-17556: Unsafe deserialization in Apache Olingo
Continue reading

CVE-2019-17555: DoS via Retry-After header in Apache Olingo

Apache Olingo is a Java library that implements the Open Data Protocol (OData). This protocol allows the creation and consumption of queryable and interoperable RESTful APIs in a simple way.

This post describes a little vulnerability that I recently discovered in Apache Olingo. The issue has been fixed in the 4.7.0 release.

CVE-2019-17555: DoS via Retry-After header in Apache Olingo
Continue reading