Deserialization of a maliciously crafted Apache OpenJPA object can result in an executable file being written to the file system. An attacker needs to discover an unprotected server program to exploit the vulnerability. It then needs to exploit another unprotected server program to execute the file and gain access to the system. OpenJPA usage by itself does not introduce the vulnerability.
32303c32cb83248176a31128df26e37e6c705dd40e339118c8a2a427536a4fa1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2013-1768: Apache OpenJPA security vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
OpenJPA 1.0.0 to 1.0.4
OpenJPA 1.1.0
OpenJPA 1.3.0
OpenJPA 1.2.0 to 1.2.2
OpenJPA 2.0.0 to 2.0.1
OpenJPA 2.1.0 to 2.1.1
OpenJPA 2.2.0 to 2.2.1
Description: Deserialization of a maliciously crafted OpenJPA object can
result in an executable file being written to the file system. An
attacker needs to discover an unprotected server program to exploit the
vulnerability. It then needs to exploit another unprotected server
program to execute the file and gain access to the system. OpenJPA
usage by itself does not introduce the vulnerability.
Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
specification level should upgrade to the OpenJPA 1.2.3 release. Users
of OpenJPA using a release based upon the JPA 2.0 specification level
should upgrade to the OpenJPA 2.2.2 release. Users needing to stay on
their current release should get the latest code from svn for the
corresponding branch level or apply a source patch and build a new
binary package. Nightly snapshots of the latest source builds are also
available for many branches.
OpenJPA release branch levels and corresponding fix revisions:
OpenJPA 1.0.x revision 1462558:
http://svn.apache.org/viewvc?view=revision&revision=1462558
OpenJPA 1.1.x revision 1462512:
http://svn.apache.org/viewvc?view=revision&revision=1462512
OpenJPA 1.2.x revision 1462488:
http://svn.apache.org/viewvc?view=revision&revision=1462488
OpenJPA 1.3.x revision 1462328:
http://svn.apache.org/viewvc?view=revision&revision=1462328
OpenJPA 2.0.x revision 1462318:
http://svn.apache.org/viewvc?view=revision&revision=1462318
OpenJPA 2.1.x revision 1462268:
http://svn.apache.org/viewvc?view=revision&revision=1462268
OpenJPA 2.2.1.x revision 1462225:
http://svn.apache.org/viewvc?view=revision&revision=1462225
OpenJPA 2.2.x revision 1462076:
http://svn.apache.org/viewvc?view=revision&revision=1462076
Example: An attacker creates a customized serialization of an OpenJPA
object. The attacker exploits an unprotected server program to execute
the object. The object includes logic that results in malicious trace
being written to a file, such as a JSP. The file containing malicious
commands is written to a potentially vulnerable area of the system. The
attacker exploits a second unprotected server program to execute the
file and gain access to the system.
Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
7iGIxMiN7yJ14RZoDsKw
=LVgy
-----END PGP SIGNATURE-----