Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Orbit » xalan_2.7.1 flagged for possible security violation
xalan_2.7.1 flagged for possible security violation [message #1220452] Wed, 11 December 2013 14:45 Go to next message
Patrick Rusk is currently offline Patrick Rusk
Messages: 35
Registered: June 2012
Member
My company's security infrastructure recently flagged...

/tools/orbit/downloads/drops/R20130827064939/repository/plugins/org.apache.xalan_2.7.1.v201005080400.jar

...as having a potential Java_Deserialization_Privilege_Escalation vulnerability.

Has anyone else experienced that? Does anyone know if that is a false positive that I can document sufficiently for our security department?

As a result of this, download.eclipse.org is blocked internally. Sad
Re: xalan_2.7.1 flagged for possible security violation [message #1220643 is a reply to message #1220452] Thu, 12 December 2013 14:51 Go to previous messageGo to next message
David Williams is currently offline David Williams
Messages: 696
Registered: July 2009
Senior Member
On 12/11/2013 02:46 PM, Patrick Rusk wrote:
> My company's security infrastructure recently flagged...
>
> /tools/orbit/downloads/drops/R20130827064939/repository/plugins/org.apache.xalan_2.7.1.v201005080400.jar
>
>
> ...as having a potential Java_Deserialization_Privilege_Escalation
> vulnerability.
>
> Has anyone else experienced that? Does anyone know if that is a false
> positive that I can document sufficiently for our security department?
>

I have not heard anything about this and some quick internet searches
didn't find anything obvious. You might ask on Apache's Xalan Java users
list.
(And, if you find out anything definitive, let us know!)

Thanks,
Re: xalan_2.7.1 flagged for possible security violation [message #1220647 is a reply to message #1220643] Thu, 12 December 2013 15:20 Go to previous messageGo to next message
Patrick Rusk is currently offline Patrick Rusk
Messages: 35
Registered: June 2012
Member
I have looked into this a bit more and am definitely confused by one thing, and slighly concerned about it, too.

The jar referenced in that directory is called "org.apache.xalan_2.7.1.v201005080400.jar", which is the exact name of the standard plug-in that is found in, say, the Eclipse IDE for Java EE Developers (4.3.1) plugins directory. Yet, the jar downloaded from the Orbit site is two bytes larger, and a binary diff shows tons of differences.

That could certainly be accounted for if someone recompiled the code intentionally and innocently, but why have "v201005080400" in there, rather than the date and time of the actual recompile?

Again, I could think of potentially innocent reasons to do that, but is there any chance that someone has deliberately constructed a mischievous file and put it there?

If the file on the Orbit site was an identical binary, I would definitely regard this as a false positive. I was pretty surprised that it wasn't identical.

Thanks.
Re: xalan_2.7.1 flagged for possible security violation [message #1220648 is a reply to message #1220647] Thu, 12 December 2013 15:27 Go to previous messageGo to next message
Patrick Rusk is currently offline Patrick Rusk
Messages: 35
Registered: June 2012
Member
Now I am no longer concerned.

I unpacked both jars and compared the contents of all of the .class files (WinMerge for the win!). All of the .class files are the same. It looks like this is just a repackaging of the same contents with perhaps a different certificate.

Thanks.
Re: xalan_2.7.1 flagged for possible security violation [message #1231384 is a reply to message #1220452] Tue, 14 January 2014 09:39 Go to previous message
Gunnar Wagenknecht is currently offline Gunnar Wagenknecht
Messages: 447
Registered: July 2009
Senior Member
Patrick,

On 2013-12-11 19:46:00 +0000, Patrick Rusk said:

> My company's security infrastructure recently flagged...
>
> /tools/orbit/downloads/drops/R20130827064939/repository/plugins/org.apache.xalan_2.7.1.v201005080400.jar
>
>
> ..as having a potential Java_Deserialization_Privilege_Escalation
> vulnerability.

I'm afraid that your company's security infrastructure needs to unveil
more details about the found vulnerability. Privilege escalation
usually requires a flaw/vulnerability in the JRE. The JRE is creating
the sandbox out of which malicious code wants to escape.

Frankly, I think that blocking download.eclipse.org may not help to
address any of such vulnerabilities. You need to update the JRE
installations and/or block *all* internet sites distributing untrusted
Java code.

-Gunnar

--
Gunnar Wagenknecht
gunnar@xxxxxxxx
Previous Topic:Permanent/Archive links for recent Orbit releases?
Next Topic:Live editing, reconciling
Goto Forum:
  


Current Time: Mon Jul 28 02:18:23 EDT 2014

Powered by FUDForum. Page generated in 0.01700 seconds