Author: buildbot
Date: Tue Jul 12 19:11:52 2022
New Revision: 1080135
Log:
Production update by buildbot for tapestry
Modified:
websites/production/tapestry/content/cache/main.pageCache
websites/production/tapestry/content/security.html
Modified: websites/production/tapestry/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/tapestry/content/security.html
==============================================================================
--- websites/production/tapestry/content/security.html (original)
+++ websites/production/tapestry/content/security.html Tue Jul 12 19:11:52 2022
@@ -210,9 +210,9 @@
}
}, "before:*");
}</code></pre>
-</div></div><p></p><p>Sometimes, in production, a firewall or proxy may make
it look like the client web browser originates from localhost, with the
consequence that whitelisted pages may be visible to all users. See the <a
href="security-faq.html">Security FAQ</a> for how to deal with this.</p><h2
id="Security-AssetSecurity">Asset Security</h2><p>Main Article: <a
href="security.html">Security</a></p><p class="confluence-link">Tapestry serves
assets (static content such as CSS files, images, and JavaScript, many of which
are on the classpath alongside your compiled class files) to the
client. Because of this, great care has gone into ensuring that certain
file types cannot be served to the client. By default, file ending with
".class', ".tml" and ".properties" can be served to the client only if the
request includes the file's MD5 checksum. As you would expect, that blacklist
can be extended. See <a href="assets.html">Assets</a> for more
information.</p><h2 id="Securi
ty-ProtectingSerializedObjectDataontheClient">Protecting Serialized Object
Data on the Client</h2><p><span style="color: rgb(0,0,0);">As of version 5.3.6,
Tapestry integrates a </span><a class="external-link"
style="text-decoration: underline;text-align: justify;"
href="http://en.wikipedia.org/wiki/HMAC"; rel="nofollow">hash-based message
authentication code</a><span style="color: rgb(0,0,0);"> (HMAC) into
serialized Java object data that it sends to the client (generally, this means
the </span><code style="text-align: justify;">t:formdata</code><span
style="color: rgb(0,0,0);"> hidden field used by the Form component). This
ensures that the hidden binary object data is guaranteed to be unaltered when
it returns to the server upon form (or AJAX) submission. The HMAC pass phrase
is set using the <a href="configuration.html">tapestry.hmac-passphrase</a>
configuration symbol. If you don't set that value, you'll see a warning message
in the browser, like this:
60;</span></p><div class="preformatted panel" style="border-width: 1px;"><div
class="preformattedContent panelContent">
+</div></div><p></p><p>Sometimes, in production, a firewall or proxy may make
it look like the client web browser originates from localhost, with the
consequence that whitelisted pages may be visible to all users. See the <a
href="security-faq.html">Security FAQ</a> for how to deal with this.</p><h2
id="Security-AssetSecurity">Asset Security</h2><p>Main Article: <a
href="security.html">Security</a></p><p class="confluence-link">Tapestry serves
assets (static content such as CSS files, images, and JavaScript, many of which
are on the classpath alongside your compiled class files) to the
client. Because of this, great care has gone into ensuring that certain
file types cannot be served to the client. By default, file ending with
".class', ".tml" and ".properties" can be served to the client only if the
request includes the file's MD5 checksum. As you would expect, that blacklist
can be extended. See <a href="assets.html">Assets</a> for more
information.</p><h2 id="Securi
ty-ProtectingSerializedObjectDataontheClient">Protecting Serialized Object
Data on the Client</h2><p><span style="color: rgb(0,0,0);">As of version 5.3.6,
Tapestry integrates a </span><a class="external-link"
href="http://en.wikipedia.org/wiki/HMAC"; style="text-decoration:
underline;text-align: justify;" rel="nofollow">hash-based message
authentication code</a><span style="color: rgb(0,0,0);"> (HMAC) into
serialized Java object data that it sends to the client (generally, this means
the </span><code style="text-align: justify;">t:formdata</code><span
style="color: rgb(0,0,0);"> hidden field used by the Form component). This
ensures that the hidden binary object data is guaranteed to be unaltered when
it returns to the server upon form (or AJAX) submission. The HMAC pass phrase
is set using the <a href="configuration.html">tapestry.hmac-passphrase</a>
configuration symbol. If you don't set that value, you'll see a warning message
in the browser, like this:
60;</span></p><div class="preformatted panel" style="border-width: 1px;"><div
class="preformattedContent panelContent">
<pre>The symbol 'tapestry.hmac-passphrase' has not been configured. This is
used to configure hash-based message authentication of Tapestry data stored in
forms, or in the URL. You application is less secure, and more vulnerable to
denial-of-service attacks, when this symbol is not configured.</pre>
-</div></div><p><span style="color: rgb(0,0,0);">The solution is to set the
tapestry.hmac-passphrase to some value (any fixed, private string, such as 30
to 40 random-looking characters, will do) in your application's module class
(usually AppModule.java).</span></p><h2
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color:
rgb(83,145,38);">Cross Site Request Forgery (CSRF)</span></h2><p>Cross Site
Request Forgery is a type of security vulnerability in which legitimate,
authorized users may be made to unwittingly submit malicious requests to your
web application.</p><p><a class="external-link"
href="https://github.com/porscheinformatik/tapestry-csrf-protection";
rel="nofollow">Tapestry-csrf-protection</a> is a 3rd party module that has
several features for preventing CSRF attacks. It protects
all <span>component event handlers (event links, forms, etc.) by adding
a </span><span>CSRF token to event links and adds a CSRF token as a hidden
field to all forms. 
;</span><span>Tokens are generated on a per-session basis.</span></p><h2
id="Security-SecurityFrameworkIntegration"><span>Security Framework
Integration</span></h2><p>Tapestry does not lock you into a specific
authentication/authorization implementation. There are integration modules
available for the more popular open source Java security frameworks. A popular
choice among Tapestry users is <a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security (based on Apache Shiro) from Tynamo.org</a>.
It is always kept up-to-date with the latest Tapestry versions and offers
several supporting security modules (e.g. <a class="external-link"
href="http://www.tynamo.org/tapestry-security-jpa+guide/";
rel="nofollow">tapestry-security-jpa</a>, <a class="external-link"
href="http://www.tynamo.org/tynamo-federatedaccounts+guide/";
rel="nofollow">tynamo-federatedaccounts</a>). There's also an <a
class="external-link" href="http://www.localhost.nu/j
ava/tapestry-spring-security" rel="nofollow">integration module available for
Spring Security</a> but lately, it hasn't kept up with the latest versions of
Tapestry 5.</p><p>Additional information:</p><ul><li><a class="external-link"
href="http://www.tynamo.org/tynamo-federatedaccounts+guide/";
rel="nofollow">Tynamo-federatedaccounts</a> <span style="color:
rgb(0,0,0);">is an add-on to the </span><a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security</a><span style="color:
rgb(0,0,0);"> module, providing federated (third-party) authentication
with Facebook, Twitter or Google.</span></li></ul><ul><li><span>To include
OpenID with Spring Security in your application, see the following Wiki
entry: </span><a class="external-link"
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";>http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul><h2
id="Security-Vulnerabi
lityDisclosures">Vulnerability Disclosures</h2><h3
id="Security-CVE-2019-0195:FilereadingLeadstoJavaDeserializationVulnerability.">CVE-2019-0195:
File reading Leads to Java Deserialization Vulnerability.</h3><p>Disclosure
date: <a class="external-link"
href="https://lists.apache.org/thread.html/5173c4eed06e2fca6fd5576ed723ff6bb1711738ec515cb51a04ab24@%3Cusers.tapestry.apache.org%3E";>September
13th, 2019</a></p><p>Versions affected: all Apache Tapestry versions from
5.4.0 (including its betas) through 5.4.3</p><p>Description: Manipulating
classpath asset file URLs, an attacker could guess the path to a known
file in the classpath and have it downloaded. If the attacker found the
file with the value of the tapestry.hmac-passphrase configuration symbol,
most probably the webapp's AppModule class, the value of this symbol could
be used to craft a Java deserialization attack, thus running malicious
injected Java code. The vector would be the t:formdata
parameter from the Form component.</p><p>Mitigation: Upgrade to Tapestry
5.4.5, which is a drop-in replacement for any 5.4.x version.</p><p>Credit:
Ricter Zheng</p><h3
id="Security-CVE-2019-0207:ApacheTapestry5.4.2PathTraversalvulnerability">CVE-2019-0207:
Apache Tapestry 5.4.2 Path Traversal vulnerability</h3><p>Disclosure
date: <a class="external-link"
href="https://lists.apache.org/thread.html/765be3606d865de513f6df9288842c3cf58b09a987c617a535f2b99d@%3Cusers.tapestry.apache.org%3E";>September
13th, 2019</a></p><p>Versions affected: all Apache Tapestry versions from
5.4.0 (including its betas) through 5.4.4.</p><p>Description: Tapestry
processes assets `/assets/ctx` using classes chain `StaticFilesFilter ->
AssetDispatcher -> ContextResource`, which doesn't filter the character `\`,
so attacker can perform a path traversal attack to read any files on Windows
platform.</p><p>Mitigation: Upgrade to Tapestry 5.4.5, which is a drop-in
replacement for any 5.4.x version.<
/p><p>Credit: Ricter Zheng</p><h3
id="Security-CVE-2019-10071:NewIssueinFixforCVE-2014-1972">CVE-2019-10071: New
Issue in Fix for CVE-2014-1972</h3><p>Disclosure date: <a
rel="nofollow">September 13th, 2019</a></p><p>Versions affected: all Apache
Tapestry versions from 5.4.0 (including its betas) through
5.4.3</p><p>Description: The code which checks HMAC in form submissions
usedString.equals() for comparisons, which results in a timing side channel
vulnerability inthe comparison of the HMAC signatures. This could lead to
remote codeexecution if an attacker is able to determine the correct signature
fortheir payload. The comparison should have been done with a constant time
algorithm instead.</p><p>Mitigation: Upgrade to Tapestry 5.4.5, which is a
drop-in replacement for any 5.4.xversion.</p><p>Credit: </p><pre>David
Tomaschik of the Google Security Team</pre><h3
id="Security-CVE-2019-10071:BypassofthefixforCVE-2019-0195">CVE-2019-10071: Bypass
of the fix for CVE-2019
-0195</h3><p>Disclosure date: <a rel="nofollow">March 14th,
2021</a></p><p>Versions affected: all Apache Tapestry versions from 5.4.0
(including its betas) through 5.6.1, plus 5.7.0.</p><p>Description: A
critical unauthenticated remote code execution vulnerability was found all
recent versions of Apache Tapestry. The affected versions include 5.4.5,
5.5.0, 5.6.2 and 5.7.0.</p><p>The vulnerability I have found is a bypass of the
fix for CVE-2019-0195. </p><p>Recap:</p><p>Before the fix of CVE-2019-0195
it was possible to download arbitrary class files from the classpath by
providing a crafted asset file URL. An attacker was able to download the
file `AppModule.class` by requesting the URL `<span
class="nolink">http://localhost:8080/assets/something/services/AppModule.class</span>`
which contains a HMAC secret key. The fix for that bug was a blacklist
filter that checks if the URL ends with `.class`, `.properties` or
`.xml`.</p><p>Bypass:</
p><p>Unfortunately, the blacklist solution can simply be bypassed by appending
a `/` at the end of the URL:
`http://localhost:8080/assets/something/services/AppModule.class/`</p><p>The
slash is stripped after the blacklist check and the file `AppModule.class` is
loaded into the response. This class usually contains the HMAC secret key
which is used to sign</p><p>serialized Java objects. With the knowledge of
that key an attacker can sign a Java gadget chain that leads to RCE (e.g.
CommonsBeanUtils1 from ysoserial). </p><p>Solution for this
vulnerability:</p><p>* For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or
later.</p><p>* For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.</p><p>This
issue is being tracked as TAP5-2663</p><p>Credit:</p><p>Apache Tapestry would
like to thank Johannes Moritz for finding and notifying this
vulnerability</p><p></p><pre></pre></div>
+</div></div><p><span style="color: rgb(0,0,0);">The solution is to set the
tapestry.hmac-passphrase to some value (any fixed, private string, such as 30
to 40 random-looking characters, will do) in your application's module class
(usually AppModule.java).</span></p><h2
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color:
rgb(83,145,38);">Cross Site Request Forgery (CSRF)</span></h2><p>Cross Site
Request Forgery is a type of security vulnerability in which legitimate,
authorized users may be made to unwittingly submit malicious requests to your
web application.</p><p><a class="external-link"
href="https://github.com/porscheinformatik/tapestry-csrf-protection";
rel="nofollow">Tapestry-csrf-protection</a> is a 3rd party module that has
several features for preventing CSRF attacks. It protects
all <span>component event handlers (event links, forms, etc.) by adding
a </span><span>CSRF token to event links and adds a CSRF token as a hidden
field to all forms. 
;</span><span>Tokens are generated on a per-session basis.</span></p><h2
id="Security-SecurityFrameworkIntegration"><span>Security Framework
Integration</span></h2><p>Tapestry does not lock you into a specific
authentication/authorization implementation. There are integration modules
available for the more popular open source Java security frameworks. A popular
choice among Tapestry users is <a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security (based on Apache Shiro) from Tynamo.org</a>.
It is always kept up-to-date with the latest Tapestry versions and offers
several supporting security modules (e.g. <a class="external-link"
href="http://www.tynamo.org/tapestry-security-jpa+guide/";
rel="nofollow">tapestry-security-jpa</a>, <a class="external-link"
href="http://www.tynamo.org/tynamo-federatedaccounts+guide/";
rel="nofollow">tynamo-federatedaccounts</a>). There's also an <a
class="external-link" href="http://www.localhost.nu/j
ava/tapestry-spring-security" rel="nofollow">integration module available for
Spring Security</a> but lately, it hasn't kept up with the latest versions of
Tapestry 5.</p><p>Additional information:</p><ul><li><a class="external-link"
href="http://www.tynamo.org/tynamo-federatedaccounts+guide/";
rel="nofollow">Tynamo-federatedaccounts</a> <span style="color:
rgb(0,0,0);">is an add-on to the </span><a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security</a><span style="color:
rgb(0,0,0);"> module, providing federated (third-party) authentication
with Facebook, Twitter or Google.</span></li></ul><ul><li><span>To include
OpenID with Spring Security in your application, see the following Wiki
entry: </span><a class="external-link"
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";>http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul><h2
id="Security-Vulnerabi
lityDisclosures">Vulnerability Disclosures</h2><h3
id="Security-CVE-2019-0195:FilereadingLeadstoJavaDeserializationVulnerability.">CVE-2019-0195:
File reading Leads to Java Deserialization Vulnerability.</h3><p>Disclosure
date: <a class="external-link"
href="https://lists.apache.org/thread.html/5173c4eed06e2fca6fd5576ed723ff6bb1711738ec515cb51a04ab24@%3Cusers.tapestry.apache.org%3E";>September
13th, 2019</a></p><p>Versions affected: all Apache Tapestry versions from
5.4.0 (including its betas) through 5.4.3</p><p>Description: Manipulating
classpath asset file URLs, an attacker could guess the path to a known
file in the classpath and have it downloaded. If the attacker found the
file with the value of the tapestry.hmac-passphrase configuration symbol,
most probably the webapp's AppModule class, the value of this symbol could
be used to craft a Java deserialization attack, thus running malicious
injected Java code. The vector would be the t:formdata
parameter from the Form component.</p><p>Mitigation: Upgrade to Tapestry
5.4.5, which is a drop-in replacement for any 5.4.x version.</p><p>Credit:
Ricter Zheng</p><h3
id="Security-CVE-2019-0207:ApacheTapestry5.4.2PathTraversalvulnerability">CVE-2019-0207:
Apache Tapestry 5.4.2 Path Traversal vulnerability</h3><p>Disclosure
date: <a class="external-link"
href="https://lists.apache.org/thread.html/765be3606d865de513f6df9288842c3cf58b09a987c617a535f2b99d@%3Cusers.tapestry.apache.org%3E";>September
13th, 2019</a></p><p>Versions affected: all Apache Tapestry versions from
5.4.0 (including its betas) through 5.4.4.</p><p>Description: Tapestry
processes assets `/assets/ctx` using classes chain `StaticFilesFilter ->
AssetDispatcher -> ContextResource`, which doesn't filter the character `\`,
so attacker can perform a path traversal attack to read any files on Windows
platform.</p><p>Mitigation: Upgrade to Tapestry 5.4.5, which is a drop-in
replacement for any 5.4.x version.<
/p><p>Credit: Ricter Zheng</p><h3
id="Security-CVE-2019-10071:NewIssueinFixforCVE-2014-1972">CVE-2019-10071: New
Issue in Fix for CVE-2014-1972</h3><p>Disclosure date: <a
rel="nofollow">September 13th, 2019</a></p><p>Versions affected: all Apache
Tapestry versions from 5.4.0 (including its betas) through
5.4.3</p><p>Description: The code which checks HMAC in form submissions
usedString.equals() for comparisons, which results in a timing side channel
vulnerability inthe comparison of the HMAC signatures. This could lead to
remote codeexecution if an attacker is able to determine the correct signature
fortheir payload. The comparison should have been done with a constant time
algorithm instead.</p><p>Mitigation: Upgrade to Tapestry 5.4.5, which is a
drop-in replacement for any 5.4.xversion.</p><p>Credit: </p><pre>David
Tomaschik of the Google Security Team</pre><h3
id="Security-CVE-2019-10071:BypassofthefixforCVE-2019-0195">CVE-2019-10071: Bypass
of the fix for CVE-2019
-0195</h3><p>Disclosure date: <a rel="nofollow">March 14th,
2021</a></p><p>Versions affected: all Apache Tapestry versions from 5.4.0
(including its betas) through 5.6.1, plus 5.7.0.</p><p>Description: A
critical unauthenticated remote code execution vulnerability was found all
recent versions of Apache Tapestry. The affected versions include 5.4.5,
5.5.0, 5.6.2 and 5.7.0.</p><p>The vulnerability I have found is a bypass of the
fix for CVE-2019-0195. </p><p>Recap:</p><p>Before the fix of CVE-2019-0195
it was possible to download arbitrary class files from the classpath by
providing a crafted asset file URL. An attacker was able to download the
file `AppModule.class` by requesting the URL `<span
class="nolink">http://localhost:8080/assets/something/services/AppModule.class</span>`
which contains a HMAC secret key. The fix for that bug was a blacklist
filter that checks if the URL ends with `.class`, `.properties` or
`.xml`.</p><p>Bypass:</
p><p>Unfortunately, the blacklist solution can simply be bypassed by appending
a `/` at the end of the URL:
`http://localhost:8080/assets/something/services/AppModule.class/`</p><p>The
slash is stripped after the blacklist check and the file `AppModule.class` is
loaded into the response. This class usually contains the HMAC secret key
which is used to sign</p><p>serialized Java objects. With the knowledge of
that key an attacker can sign a Java gadget chain that leads to RCE (e.g.
CommonsBeanUtils1 from ysoserial). </p><p>Solution for this
vulnerability:</p><p>* For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or
later.</p><p>* For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.</p><p>This
issue is being tracked as TAP5-2663</p><p>Credit:</p><p>Apache Tapestry would
like to thank Johannes Moritz for finding and notifying this
vulnerability</p><h3
id="Security-CVE-2022-31781:RegularExpressionDenialofService(ReDoS)inContentType.java.(GHSL-2022-022)">CVE-2022-
31781: Regular Expression Denial of Service (ReDoS) in ContentType.java.
(GHSL-2022-022)</h3><p>Disclosure date: July 12th, 2022</p><p>Versions
affected:</p><p>This issue affects Apache Tapestry 5.8.1 and
earlier.</p><p>Severity: low</p><p>Description:</p><p>Apache Tapestry up to
version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in
the way it handles Content Types. Specially crafted Content Types may cause
catastrophic backtracking, taking exponential time to
complete.</p><p>Specifically, this is about the regular expression used on the
parameter of the org.apache.tapestry5.http.ContentType class.</p><p>Apache
Tapestry 5.8.2 has a fix for this vulnerability.</p><p>Notice the vulnerability
cannot be triggered by web requests in Tapestry code alone. It would only
happen if there's some non-Tapestry codepath passing some outside input to the
ContentType class constructor.</p><p>Acknowledgements:CodeQL team members
[@atorralba (Tony Torralba)](<a class="externa
l-link" href="https://github.com/atorralba";
rel="nofollow">https://github.com/atorralba</a>) and [@joefarebrother (Joseph
Farebrother)](<a class="external-link" href="https://github.com/joefarebrother";
rel="nofollow">https://github.com/joefarebrother</a>).</p><pre></pre></div>
</div>
<!-- /// Content End -->
</div>
