Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Orbit » xalan_2.7.1 flagged for possible security violation
xalan_2.7.1 flagged for possible security violation [message #1220452] Wed, 11 December 2013 19:45 Go to next message
Patrick Rusk is currently offline Patrick RuskFriend
Messages: 35
Registered: June 2012
Member
My company's security infrastructure recently flagged...

/tools/orbit/downloads/drops/R20130827064939/repository/plugins/org.apache.xalan_2.7.1.v201005080400.jar

...as having a potential Java_Deserialization_Privilege_Escalation vulnerability.

Has anyone else experienced that? Does anyone know if that is a false positive that I can document sufficiently for our security department?

As a result of this, download.eclipse.org is blocked internally. Sad

Report message to a moderator

Re: xalan_2.7.1 flagged for possible security violation [message #1220643 is a reply to message #1220452] Thu, 12 December 2013 19:51 Go to previous messageGo to next message
David Williams is currently offline David WilliamsFriend
Messages: 722
Registered: July 2009
Senior Member
On 12/11/2013 02:46 PM, Patrick Rusk wrote:
> My company's security infrastructure recently flagged...
>
> /tools/orbit/downloads/drops/R20130827064939/repository/plugins/org.apache.xalan_2.7.1.v201005080400.jar
>
>
> ...as having a potential Java_Deserialization_Privilege_Escalation
> vulnerability.
>
> Has anyone else experienced that? Does anyone know if that is a false
> positive that I can document sufficiently for our security department?
>

I have not heard anything about this and some quick internet searches
didn't find anything obvious. You might ask on Apache's Xalan Java users
list.
(And, if you find out anything definitive, let us know!)

Thanks,

Report message to a moderator

Re: xalan_2.7.1 flagged for possible security violation [message #1220647 is a reply to message #1220643] Thu, 12 December 2013 20:20 Go to previous messageGo to next message
Patrick Rusk is currently offline Patrick RuskFriend
Messages: 35
Registered: June 2012
Member
I have looked into this a bit more and am definitely confused by one thing, and slighly concerned about it, too.

The jar referenced in that directory is called "org.apache.xalan_2.7.1.v201005080400.jar", which is the exact name of the standard plug-in that is found in, say, the Eclipse IDE for Java EE Developers (4.3.1) plugins directory. Yet, the jar downloaded from the Orbit site is two bytes larger, and a binary diff shows tons of differences.

That could certainly be accounted for if someone recompiled the code intentionally and innocently, but why have "v201005080400" in there, rather than the date and time of the actual recompile?

Again, I could think of potentially innocent reasons to do that, but is there any chance that someone has deliberately constructed a mischievous file and put it there?

If the file on the Orbit site was an identical binary, I would definitely regard this as a false positive. I was pretty surprised that it wasn't identical.

Thanks.

Report message to a moderator

Re: xalan_2.7.1 flagged for possible security violation [message #1220648 is a reply to message #1220647] Thu, 12 December 2013 20:27 Go to previous messageGo to next message
Patrick Rusk is currently offline Patrick RuskFriend
Messages: 35
Registered: June 2012
Member
Now I am no longer concerned.

I unpacked both jars and compared the contents of all of the .class files (WinMerge for the win!). All of the .class files are the same. It looks like this is just a repackaging of the same contents with perhaps a different certificate.

Thanks.

Report message to a moderator

Re: xalan_2.7.1 flagged for possible security violation [message #1231384 is a reply to message #1220452] Tue, 14 January 2014 14:39 Go to previous message
Gunnar Wagenknecht is currently offline Gunnar WagenknechtFriend
Messages: 486
Registered: July 2009
Location: San Francisco ✈ Germany
Senior Member
Patrick,

On 2013-12-11 19:46:00 +0000, Patrick Rusk said:

> My company's security infrastructure recently flagged...
>
> /tools/orbit/downloads/drops/R20130827064939/repository/plugins/org.apache.xalan_2.7.1.v201005080400.jar
>
>
> ..as having a potential Java_Deserialization_Privilege_Escalation
> vulnerability.

I'm afraid that your company's security infrastructure needs to unveil
more details about the found vulnerability. Privilege escalation
usually requires a flaw/vulnerability in the JRE. The JRE is creating
the sandbox out of which malicious code wants to escape.

Frankly, I think that blocking download.eclipse.org may not help to
address any of such vulnerabilities. You need to update the JRE
installations and/or block *all* internet sites distributing untrusted
Java code.

-Gunnar

--
Gunnar Wagenknecht
gunnar@xxxxxxxx

Report message to a moderator

Previous Topic:Permanent/Archive links for recent Orbit releases?
Next Topic:Live editing, reconciling
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Apr 19 21:17:05 GMT 2024

Powered by FUDForum. Page generated in 0.03241 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly