FreeBSD : Apache Maven -- multiple vulnerabilities (20006b5f-a0bc-11eb-8ae6-fc4dd43e2b6a)

critical Nessus Plugin ID 148748
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The Apache Maven project reports :

We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in dependency POMs. We've split this up into three separate issues :

- Possible Man-In-The-Middle-Attack due to custom repositories using HTTP.

More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with blocked parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning 'any external URL using HTTP'.

The decision was made to block such external HTTP repositories by default : this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.

- Possible Domain Hijacking due to custom repositories using abandoned domains

Sonatype has analyzed which domains were abandoned and has claimed these domains.

- Possible hijacking of downloads by redirecting to custom repositories

This one was the hardest to analyze and explain. The short story is :
you're safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.

Solution

Update the affected package.

See Also

http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

http://www.nessus.org/u?db7a98a5

Plugin Details

Severity: Critical

ID: 148748

File Name: freebsd_pkg_20006b5fa0bc11eb8ae6fc4dd43e2b6a.nasl

Version: 1.3

Type: local

Published: 4/19/2021

Updated: 5/7/2021

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2021-26291

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:maven, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 4/19/2021

Vulnerability Publication Date: 4/4/2021

Reference Information

CVE: CVE-2020-13956, CVE-2021-26291