2.3.1 Release CVE Reports

CVE-2016-0709: Code execution via ZIP file path traversal

Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected
Mitigation: 2.2.0 - 2.3.0 users should upgrade to 2.3.1
Credit: This issue was discovered by Andreas Lindh
References: http://tomcat.apache.org/security.html

Description:

The Import/Export function in the Portal Site Manager, part of the Jetspeed Administrative Portlets, is vulnerable to a path traversal via specially crafted file names in ZIP archives. Any user with permission to upload files via this function can upload a file with a name like "../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This is because the code that performs the unzipping of the archive does not check the validity of the file names before writing them to disk. This can be turned into code execution by uploading a .jsp file and writing it to somewhere on the file system where the web server will execute it when visited

#CVE-2016-0710: SQL injection in User Manager service

Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Jetspeed 2.3.0
Mitigation: 2.3.0 users should upgrade to 2.3.1
Credit: This issue was discovered by Andreas Lindh
References: http://tomcat.apache.org/security.html

Description:

The Jetspeed User Manager service, part of the Jetspeed Administrative Portlets, is vulnerable to SQL injection. When performing a search in these tools, the 'user' and 'role' parameters of the request can be injected to alter the logic of the subsequent SQL statement.

There is also an authorization flaw at play here since the above URLs can be reached without being authenticated in Jetspeed.

Example

Given this URL:

http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=json&results=10&start=0&sort=userName&dir=asc&name=&roles=foo%27%20
The 'role' parameter contains the value "foo" which is not an existing role, but because of the injected SQL code (or '1'='1') the statement returns true anyway and all the existing users are shown.

CVE-2016-0711: Persistent Cross Site Scripting in links, pages and folders

Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected
Mitigation: 2.2.0 - 2.3.0 users should upgrade to 2.3.1
Credit: This issue was discovered by Andreas Lindh
References: http://tomcat.apache.org/security.html

Description:

The functionality to add a link, page, or folder, is vulnerable to persistent Cross Site Scripting. This is because it is possible to include HTML tags in the object's name, such as is the example below where a page object is being renamed after creation.

Example

Given this AJAX request:

POST /jetspeed/services/pagemanagement/info/.psml/_user/andreas/foobar.psml?
_type=json HTTP/1.1
Host: 192.168.2.4:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101
Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.2.4:8080/jetspeed/ui/_user/andreas/foobar.psml
Content-Length: 60
Cookie: JSESSIONID=F95E2034A086BE172EF816FF2C853BE9;
JS2TOOLBOX=TAB=theme&CAT=Administration
Connection: close
title=foobar</a></li><script>alert(document.domain)</script>
                    

Which results in the following content in the server response:

<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<title>foobar</a></li><script>alert(document.domain)</script></title>
                    

Note that this code will be executed every time someone visits that space.

CVE-2016-0712: Reflected Cross Site Scripting in URI path

Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected
Mitigation: 2.2.0 - 2.3.0 users should upgrade to 2.3.1
Credit: This issue was discovered by Andreas Lindh
References: http://tomcat.apache.org/security.html

Description:

The URI path directory after /portal is vulnerable to reflected Cross Site Scripting. By visiting the following URL, a JavaScript pop-up will appear when the mouse is moved over the minimize/maximize buttons (may differ for different UI versions). Note this issue is only reproduced on Firefox browser.

Example

Given this URL:

http://192.168.2.9:8080/jetspeed/portal/foo%22onmouseover%3d%22alert%281%29?URL=foo/bar
                    

In the HTML response there is script:

<a href="http://192.168.2.4:8080/jetspeed/portal/_ns:..._/foo"onmouseover="alert(1)"
title="Minimize" class="action portlet-action" ><img src="/jetspeed/decorations/images/minimized.gif" alt="Minimize" border="0"/></a>
                    

CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security

Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Jetspeed 2.3.0
Mitigation: 2.3.0 users should upgrade to 2.3.1
Credit: This issue was discovered by Andreas Lindh
References: http://tomcat.apache.org/security.html

Description:

The Jetspeed User Manager services are vulnerable to unauthorized access. The following APIs are not restricted by Jetspeed Security:

                    GET http://host/jetspeed/services/usermanager/users/
                    GET http://host/jetspeed/services/usermanager/users/{name}/
                    POST http://host/jetspeed/services/usermanager/users/{name}/
                    POST http://host/jetspeed/services/usermanager/users/
                    DELETE http://host/jetspeed/services/usermanager/users/{name}/
                

In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed Security, requiring Administrative rights.