Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File...
Transcript of Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File...
![Page 1: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/1.jpg)
Report on found vulnerabilities
Reporting period: 30.06.2016 - 01.07.2016Scanned files: 18416Files by language:
Java 13963Transact-SQL 21JavaScript 11Ruby 3PL/SQL 1Python 1
![Page 2: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/2.jpg)
2 The report on detected vulnerabilities FILES
File name Files Lines Vulnerabilities by severity
apache-camel-2.17.1-src.zipMD5: 996d271338b4a99145dca8f0e85bbe35
18416 1530306 High = 4Medium = 15 Low = 20
![Page 3: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/3.jpg)
2 The report on detected vulnerabilities CHARTS
![Page 4: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/4.jpg)
4 The report on detected vulnerabilities FILES
Java: File system path manipulationSeverity: highLanguage: JavaShort description: In order to define relative paths in file system, “./” “and “../” characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.Full description: https://localhost:443/scanner/article?articleName=/en/Java/InjectionPath.html
Found Vulnerabilities:File name: apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.javaCode:
115 }116 return true;117 }118 private String grabBodyContent() throws MalformedURLException, IOException {119 URL url = new URL(page);120 File file = new File(targetDir, ".manualCache-" + url.getFile().substring(1));121 122 try {123 HttpURLConnection con = (HttpURLConnection)url.openConnection();124 XMLReader parser = new Parser();125 parser.setFeature(Parser.namespacesFeature, false);
Attack details:
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::main192 };*/193 new ManualGenerator(args).run();194 }
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::Constructor53 head = args[3];54 targetDir = args[4];55 skip = args[5];
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::grabBodyContent119 URL url = new URL(page);120 File file = new File(targetDir, ".manualCache-" + url.getFile().substring(1));121
File name: apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.javaCode:
70 71 private void storeHTMLFile(String content) throws IOException {
![Page 5: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/5.jpg)
5 The report on detected vulnerabilities FILES
72 String replaceToken = "<h3 id=\"replaceme\">.*</h3>";73 String replaceValue = "<h3>Version " + version + "</h3>";74 75 File outFile = new File(output);76 outFile.getParentFile().mkdirs();77 PrintWriter out = new PrintWriter(new BufferedOutputStream(new FileOutputStream(outFile)));78 out.println("<html>");79 out.println("<head>");80 if (head != null) {
Attack details:
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::main192 };*/193 new ManualGenerator(args).run();194 }
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::Constructor50 page = args[0];51 output = args[1];52 version = args[2];
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::storeHTMLFile74 75 File outFile = new File(output);76 outFile.getParentFile().mkdirs();
File name: apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.javaCode:
95 if (skip.equalsIgnoreCase("true")) {96 // we don't want to generate the manual here97 return false;98 }99 URL url = new URL(page);100 File file = new File(targetDir, ".manualCache-" + url.getFile().substring(1));101 if (file.exists()) {102 HttpURLConnection con = (HttpURLConnection)url.openConnection();103 con.setRequestMethod("HEAD");104 long date = con.getLastModified();105
Attack details:
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::main192 };*/193 new ManualGenerator(args).run();194 }
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::Constructor
![Page 6: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/6.jpg)
6 The report on detected vulnerabilities FILES
53 head = args[3];54 targetDir = args[4];55 skip = args[5];
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::doGenerate99 URL url = new URL(page);100 File file = new File(targetDir, ".manualCache-" + url.getFile().substring(1));101 if (file.exists()) {
File name: apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.javaCode:
101 if (file.exists()) {102 HttpURLConnection con = (HttpURLConnection)url.openConnection();103 con.setRequestMethod("HEAD");104 long date = con.getLastModified();105 106 FileReader reader = new FileReader(file);107 char chars[] = new char[1000];108 int i = reader.read(chars);109 reader.close();110111 long lastDate = Long.parseLong(new String(chars, 0, i).trim());
Attack details:
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::main192 };*/193 new ManualGenerator(args).run();194 }
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::Constructor53 head = args[3];54 targetDir = args[4];55 skip = args[5];
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::doGenerate99 URL url = new URL(page);100 File file = new File(targetDir, ".manualCache-" + url.getFile().substring(1));101 if (file.exists()) {
apache-camel-2.17.1/tooling/camel-manual/src/main/java/org/apache/camel/manual/ManualGenerator.java
org.apache.camel.manual.ManualGenerator::doGenerate105 106 FileReader reader = new FileReader(file);107 char chars[] = new char[1000];
![Page 7: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/7.jpg)
7 The report on detected vulnerabilities FILES
File system path manipulation
In order to define relative paths in file system, “./” “and “../” characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.
Example 1
This vulnerability shows up if the both of the following are true:
•The malicious user can enter a path to a file system object that would be accessed;
•After giving the path to the object, the malicious user can perform tasks, previously limited to him. Let’s take a look at an example, where the application receives a file name from and HTTP request, checks for its existence on the server, and returns the file to the user in an HTTP response:
Java@Overrideprotected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String requestedFileName = request.getParameter("file"); File file = new File("/usr/local/fileserver/" + requestedFileName); if (send404IfNotExists(response, file)) return; sendFile(response, file);}
Let’s suppose the HTML page that asks the user to download the file presents a list of available files, thus limiting the user’s access to the files on the server. However, the malicious user can create URL in the browser address bar himself, giving the path to the file he needs. Thus, the user can gain access to server files that are not meant for the public.
Example 2
Let’s take a look at a similar example:
Java@Overrideprotected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String requestedFileName = request.getParameter("file"); File file = new File("C:\\reports\\users\\" + requestedFileName); if (send404IfNotExists(response, file)) return; sendFile(response, file);}
The developer has not anticipated that the malicious user can pass the following as the file name:
Data"..\\..\\dblog.log"
As a result, the program will return the following file:
Data"C:\reports\users\..\..\dblog.log"
Which is identical to:
Data"С:\dblog.log"
![Page 8: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/8.jpg)
8 The report on detected vulnerabilities FILES
Instead of getting a log file, the malicious user can read a log of database operations, which contains critical information.
Potential consequences•
The malicious user can gain unsanctioned access to confidential data stored on the file system;
•The malicious user can gain write access to critical files, including config files. For example, he can write in a new user account, and bypass authorization;
•The malicious user can write access to executable files and libraries. He can thus replace a critical application module for his own, gaining complete system access;
•The malicious user can gain erase access to critical files, completely destroying system productivity.
Removal recommendations•
When performing any input filtration on the client side, make sure that similar filtration is done on the server side as well. This is done because the user can modify the data after the client-side filtering is done;
•Assume that all data coming from the client is a potential threat, including hidden form fields and cookies. We recommend using the “accept known good” method for input filtration, such as using a whitelist that describes acceptable input format. All input that does not follow the format, described in the whitelist should be rejected. You can, for example, limit file extensions, allowed symbols in the input string or file name length in symbols:
•Before validation filesystem paths, canonize them
•To ensure the validity of file system paths, you can use a list of allowed symbols. For example, add a limitation that the file must contain only ‘.’ symbol, and no ‘/’ symbols. We recommend against relying on blacklists that include potentially dangerous symbols. For example, this includes filters that remove dangerous sequences from the string. If the filter removes ‘../’ from the string, then after filtering the sequence ‘../…//’, the result would be ‘../’, just what the malicious user needs. Using these recommendations, we can rewrite the first example using the validateFilename function:
Java@Overrideprotected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String requestedFileName = request.getParameter("file"); File file = new File("/usr/local/fileserver/" + validateFilename(requestedFileName)); if (send404IfNotExists(response, file)) return; sendFile(response, file);}
Java: Incorrect Permissions for External Entities During XML Document ProcessingSeverity: mediumLanguage: JavaShort description: If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.Full description: https://localhost:443/scanner/article?articleName=/en/Java/XmlXxe.html
![Page 9: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/9.jpg)
9 The report on detected vulnerabilities FILES
Found Vulnerabilities:File name: apache-camel-2.17.1/camel-core/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.javaCode:
59 * @throws Exception is thrown if error parsing60 */61 public static Document parseXml(final CamelContext camelContext, final InputStream is) throws Exception {62 final SAXParserFactory factory = SAXParserFactory.newInstance();63 final SAXParser parser = factory.newSAXParser();64 final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();65 final DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();66 final Document doc = docBuilder.newDocument();6768 final Stack<Element> elementStack = new Stack<Element>();69 final StringBuilder textBuffer = new StringBuilder();
File name: apache-camel-2.17.1/camel-core/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.javaCode:
57 * @param is the XML content as an input stream58 * @return the DOM model of the routes with coverage information stored as attributes59 * @throws Exception is thrown if error parsing60 */61 public static Document parseXml(final CamelContext camelContext, final InputStream is) throws Exception {62 final SAXParserFactory factory = SAXParserFactory.newInstance();63 final SAXParser parser = factory.newSAXParser();64 final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();65 final DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();66 final Document doc = docBuilder.newDocument();67
File name: apache-camel-2.17.1/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.javaCode:
86 ObjectHelper.notNull(is, "is");87 ObjectHelper.notNull(transformer, "transformer");8889 final Document doc;90 SAXParser parser;91 final SAXParserFactory factory = SAXParserFactory.newInstance();92 parser = factory.newSAXParser();93 final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();94 // turn off validator and loading external dtd95 dbf.setValidating(false);96 dbf.setNamespaceAware(true);
File name: apache-camel-2.17.1/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.javaCode:
65 * @return instance of XMLReader66 * @throws ParserConfigurationException67 * @throws SAXException68 */69 private static XMLReader getXMLReader() throws ParserConfigurationException, SAXException {
![Page 10: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/10.jpg)
10 The report on detected vulnerabilities FILES
70 final SAXParserFactory fac = SAXParserFactory.newInstance();71 fac.setValidating(false);72 final SAXParser parser = fac.newSAXParser();73 XMLReader reader = parser.getXMLReader();74 return reader;75 }
File name: apache-camel-2.17.1/components/camel-xmlbeans/src/test/java/org/apache/camel/converter/xmlbeans/XmlBeansConverterTest.javaCode:
72 assertBuyStocks(result);73 }7475 @Test76 public void toXmlObjectFromNode() throws Exception {77 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();78 factory.setNamespaceAware(true);79 factory.setIgnoringElementContentWhitespace(true);80 factory.setIgnoringComments(true);81 DocumentBuilder builder = factory.newDocumentBuilder();82 Document document = builder.parse(new InputSource(new StringReader(PAYLOAD)));
File name: apache-camel-2.17.1/platforms/catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.javaCode:
16181619 if (answer == null) {1620 int archetypes = 0;1621 try {1622 String xml = archetypeCatalogAsXml();1623 Document dom = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new ByteArrayInputStream(xml.getBytes()));1624 Object val = XPathFactory.newInstance().newXPath().evaluate("count(/archetype-catalog/archetypes/archetype)", dom, XPathConstants.NUMBER);1625 double num = (double) val;1626 archetypes = (int) num;1627 } catch (Exception e) {1628 // ignore
File name: apache-camel-2.17.1/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.javaCode:
3334public final class XmlHelper {35 private XmlHelper() { }3637 public static Document buildNamespaceAwareDocument(File xml) throws SAXException, ParserConfigurationException, IOException {38 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();39 factory.setNamespaceAware(true);40 return factory.newDocumentBuilder().parse(xml);41 }4243 public static Transformer buildTransformer() throws TransformerConfigurationException {
![Page 11: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/11.jpg)
11 The report on detected vulnerabilities FILES
Incorrect Permissions for External Entities During XML Document Processing
If the application allows the use of external entities [1] in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities.
Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.
Example
In this example, we take a look at a code fragment, where we use the standard Java parser (JAXP) to process the XML file:
JavaInputStream is = request.getInputStream();DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();Document document = builder.parse(is);NodeList list = document.getElementsByTagName("methodName");Node methodNode;
for (int i=0; i < list.getLength(); i++){ methodNode = list.item(i); string methodName = methodNode.getTextContent(); switch(methodName) { case "getBalance": case "getInfo": case "changeInfo": doingSomething(); break; default: printErrorMessage("<Error>Method is not supported:"+ methodName); break; }}
If the user passes the following XML document in his query:
Xml<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/passwd'> ]><methodCall> <methodName>&e;</methodName></methodCall>
Then, after resolving external entities in the methodName field (and, therefore, the error message), the contents of the /etc/passwd file on the application server will be returned.
Potential consequences
This vulnerability can lead to the following:
•Reading files, local to the application server;
•Performing network interactions between the application server and other objects, including local network objects (see SSRF[2]);
•Denial of Service (DoS) for the application server.
Removal recommendations
We recommend turning off the permissions for external XML entities when working with user XML documents. To do so, JAXP needs to
![Page 12: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/12.jpg)
12 The report on detected vulnerabilities FILES
use the following calls:
JavadbFactory = DocumentBuilderFactory.newInstance();dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
In addition to that, we recommend turning off XML validation (despite the fact that it is off by default):
JavadbFactory.setValidating(false);
To further protect against DoS attacks, based on processing complex XML documents, as well as against XML Entity Expansion attacks, we recommend turning on the javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING option:
JavadbFactory.setFeature (XMLConstants.FEATURE_SECURE_PROCESSING, true);
Java: Missing Verification of Executable Files' Digital Signature when Executing them from Untrusted SourcesSeverity: mediumLanguage: JavaShort description: If an application uses executable files in its work, and does not check their digital signature, then then the malicious user could replace the files with their own versions. The malicious code from this file will then be loaded into the application context, and will be run with application process privileges.Full description: https://localhost:443/scanner/article?articleName=/en/Java/CommonJarFileVerification.html
Found Vulnerabilities:File name: apache-camel-2.17.1/components/camel-quickfix/src/test/java/org/apache/camel/component/quickfixj/QuickfixjComponentTest.javaCode:
112 settings.setString(Initiator.SETTING_SOCKET_CONNECT_PROTOCOL, ProtocolFactory.getTypeString(ProtocolFactory.VM_PIPE));113 settings.setBool(Session.SETTING_USE_DATA_DICTIONARY, false);114 setSessionID(settings, sessionID); 115116 contextClassLoader = Thread.currentThread().getContextClassLoader();117 ClassLoader testClassLoader = new URLClassLoader(urls, contextClassLoader);118 Thread.currentThread().setContextClassLoader(testClassLoader);119 }120121 private void setUpComponent() throws IOException, MalformedURLException, NoSuchMethodException {122 setUpComponent(false);
File name: apache-camel-2.17.1/components/camel-spring/src/test/java/org/apache/camel/spring/scan/DefaultPackageScanClassResolverTest.javaCode:
133 try {134 savedClassLoader = Thread.currentThread().getContextClassLoader();135 URL url = getClass().getResource("/package_scan_test.jar");136 137 URL urls[] = {new URL("jar:" + url.toString() + "!/")};
![Page 13: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/13.jpg)
13 The report on detected vulnerabilities FILES
138 URLClassLoader classLoader = new URLClassLoader(urls, savedClassLoader);139140 Thread.currentThread().setContextClassLoader(classLoader);141142 // recreate resolver since we mess with context class loader143 resolver = new DefaultPackageScanClassResolver();
File name: apache-camel-2.17.1/tooling/maven/camel-maven-plugin/src/main/java/org/apache/camel/maven/EmbeddedMojo.javaCode:
196 String name = (String) classpathElements.get(i);197 File file = new File(name);198 urls[i] = file.toURI().toURL();199 getLog().debug("URL: " + urls[i]);200 }201 URLClassLoader loader = new URLClassLoader(urls, parent);202 return loader;203 }204}
File name: apache-camel-2.17.1/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PackageDataFormatMojo.javaCode:
151 Artifact camelCore = findCamelCoreArtifact(project);152 if (camelCore != null) {153 File core = camelCore.getFile();154 if (core != null) {155 URL url = new URL("file", null, core.getAbsolutePath());156 URLClassLoader loader = new URLClassLoader(new URL[]{url});157 for (Map.Entry<String, String> entry : javaTypes.entrySet()) {158 String name = entry.getKey();159 String javaType = entry.getValue();160 String modelName = asModelName(name);161
File name: apache-camel-2.17.1/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PackageLanguageMojo.javaCode:
151 Artifact camelCore = findCamelCoreArtifact(project);152 if (camelCore != null) {153 File core = camelCore.getFile();154 if (core != null) {155 URL url = new URL("file", null, core.getAbsolutePath());156 URLClassLoader loader = new URLClassLoader(new URL[]{url});157 for (Map.Entry<String, String> entry : javaTypes.entrySet()) {158 String name = entry.getKey();159 String javaType = entry.getValue();160 String modelName = asModelName(name);161
File name: apache-camel-2.17.1/tooling/maven/guice-maven-plugin/src/main/java/org/apache/camel/guice/maven/EmbeddedMojo.javaCode:
178 String name = (String) classpathElements.get(i);179 File file = new File(name);180 urls[i] = file.toURI().toURL();181 getLog().debug("URL: " + urls[i]);
![Page 14: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/14.jpg)
14 The report on detected vulnerabilities FILES
182 }183 URLClassLoader loader = new URLClassLoader(urls, parent);184 return loader;185 }186}
Missing Verification of Executable Files' Digital Signature when Executing them from Untrusted Sources
If an application uses executable files in its work, and does not check their digital signature, then then the malicious user could replace the files with their own versions. The malicious code from this file will then be loaded into the application context, and will be run with application process privileges.
Example
Let's take a look at an example of a service with extendable functionality. Suppose the service compiles data from various sources. When a new data source is added, the service must be extended in such a way that it could read the new message format. In order to do this, the following function for loading the modules on the fly is present:
JavaFile f = new File(downloadedFilePath);JarFile jf = new JarFile(f);
The loaded file is received from an external source, and does not get verified for integrity or for its digital signature. The malicious user could then execute a "man in the middle" attack [1], and replace the loaded file with one of their own. The malicious code will then be run in the context of the service with all of its privileges. For example, such code could intercept incoming messages and change them, or forward them to a malicious user's account.
Potential Consequences•
Launching malicious executable code with application privileges and intercepting control of the system;
•Compromising confidential information.
Removal Recommendations
Before launching executable code, received from untrusted sources, we recommend checking their integrity and verify their digital signature. We recommend against accepting unsigned executable files from external sources.
With these recommendations, we can rewrite the example as such:
JavaFile f = new File(downloadedFilePath);JarFile jf = new JarFile(f, true);
If the file is unsigned, or the signature is compromised, the system throws a SecurityException
Java: Using Broken or Risky Cryptographic AlgorithmSeverity: mediumLanguage: JavaShort description: The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.Full description: https://localhost:443/scanner/article?articleName=/en/Java/CryptoWeakCryptographicAlgorithm.html
![Page 15: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/15.jpg)
15 The report on detected vulnerabilities FILES
Found Vulnerabilities:File name: apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.javaCode:
102 public String getDataFormatName() {103 return "crypto";104 }105106 private Cipher initializeCipher(int mode, Key key, byte[] iv) throws Exception {107 Cipher cipher = cryptoProvider == null ? Cipher.getInstance(algorithm) : Cipher.getInstance(algorithm, cryptoProvider);108109 if (key == null) {110 throw new IllegalStateException("A valid encryption key is required. Either configure the CryptoDataFormat "111 + "with a key or provide one in a header using the header name 'CamelCryptoKey'");112 }
Attack details:
apache-camel-2.17.1/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java
org.apache.camel.converter.crypto.CryptoDataFormatTest.--AnonymousClass--apache-camel-2_17_1_components_camel-crypto_src_test_java_org_apache_camel_converter_crypto_CryptoDataFormatTest_174_30::configure180181 CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES/CBC/PKCS5Padding", key);182 cryptoFormat.setInitializationVector(initializationVector);
apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.java
org.apache.camel.converter.crypto.CryptoDataFormat::Constructor91 public CryptoDataFormat(String algorithm, Key key) {92 this(algorithm, key, null);93 }
apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.java
org.apache.camel.converter.crypto.CryptoDataFormat::Constructor95 public CryptoDataFormat(String algorithm, Key key, String cryptoProvider) {96 this.algorithm = algorithm;97 this.configuredkey = key;
apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.java
org.apache.camel.converter.crypto.CryptoDataFormat::initializeCipher106 private Cipher initializeCipher(int mode, Key key, byte[] iv) throws Exception {107 Cipher cipher = cryptoProvider == null ? Cipher.getInstance(algorithm) : Cipher.getInstance(algorithm, cryptoProvider);108
![Page 16: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/16.jpg)
16 The report on detected vulnerabilities FILES
File name: apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.javaCode:
102 public String getDataFormatName() {103 return "crypto";104 }105106 private Cipher initializeCipher(int mode, Key key, byte[] iv) throws Exception {107 Cipher cipher = cryptoProvider == null ? Cipher.getInstance(algorithm) : Cipher.getInstance(algorithm, cryptoProvider);108109 if (key == null) {110 throw new IllegalStateException("A valid encryption key is required. Either configure the CryptoDataFormat "111 + "with a key or provide one in a header using the header name 'CamelCryptoKey'");112 }
Attack details:
apache-camel-2.17.1/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java
org.apache.camel.converter.crypto.CryptoDataFormatTest.--AnonymousClass--apache-camel-2_17_1_components_camel-crypto_src_test_java_org_apache_camel_converter_crypto_CryptoDataFormatTest_174_30::configure180181 CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES/CBC/PKCS5Padding", key);182 cryptoFormat.setInitializationVector(initializationVector);
apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.java
org.apache.camel.converter.crypto.CryptoDataFormat::Constructor91 public CryptoDataFormat(String algorithm, Key key) {92 this(algorithm, key, null);93 }
apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.java
org.apache.camel.converter.crypto.CryptoDataFormat::Constructor95 public CryptoDataFormat(String algorithm, Key key, String cryptoProvider) {96 this.algorithm = algorithm;97 this.configuredkey = key;
apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/CryptoDataFormat.java
org.apache.camel.converter.crypto.CryptoDataFormat::initializeCipher106 private Cipher initializeCipher(int mode, Key key, byte[] iv) throws Exception {107 Cipher cipher = cryptoProvider == null ? Cipher.getInstance(algorithm) : Cipher.getInstance(algorithm, cryptoProvider);108
Using Broken or Risky Cryptographic Algorithm
![Page 17: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/17.jpg)
17 The report on detected vulnerabilities FILES
Using insufficiently strong cryptographic algorithms increases the risk of system hacking and compromising confidential information. We also recommend against using nonstandard encryption methods, since they could be broken with standard attacks.
Example 1
In this example, we use the Data Encryption Standard (DES) algorithm to store passwords on the disk:
Javapublic byte[] encrypt(String password){ try { Cipher des = Cipher.getInstance( "DES" ); des.init( Cipher.ENCRYPT_MODE, key ); return des.doFinal( password.getBytes() ); } catch( Throwable ex ) { throw new IllegalStateException( ex ); }}
The DES [1] is currently considered insufficiently strong [2]. Using an outdated algorithm can give the malicious user the opportunity to use a simpler attack to break it.
Example 2
In this example, we use the MD5 hash algorithm in order to verify data integrity:
Javaprivate static byte[] countMd5( BufferedInputStream inputStream )throws NoSuchAlgorithmException, IOException{ MessageDigest md = MessageDigest.getInstance( "MD5" ); try( DigestInputStream dis = new DigestInputStream( inputStream, md ) ) { byte[] buffer = new byte[BUFFER_SIZE];
while( dis.read( buffer ) != -1 ) { // do nothing - just read stream till the end to count md5 } } return md.digest();}
The MD5 hash algorithm is vulnerable to collision attacks. This means that if the malicious user has the message hash, he could find a message that has the same hash. This lets him replace the message with his own. In order to ensure message integrity, we recommend using the SHA-2 [3] hash family of algorithms.
Potential Consequences•
Gaining access to encrypted data;
•Replacing data using man-in-the-middle attacks.
Removal Recommendations
When using a system that encrypts data, ensure that:
•The system is independent from the actual encryption method, and it is easy to replace one encryption algorithm with another;
![Page 18: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/18.jpg)
18 The report on detected vulnerabilities FILES
•
The system uses methods that are approved by the experts, and keep track of the industry's development. For example, MD4, MD5, SHA1, and DES algorithms were once considered strong, but have become outdated by now [4];
•When using standard crypto methods, follow all of the developers' recommendations. Do not skip steps in the name of conserving resources;
•Avoiding developing in-house encryption methods. Cryptographic algorithm development is an incredibly complex field.. Modern algorithms are developed by large expert organizations, are tested for a long time, and are attacked countless times. Your own algorithms can have errors and weak spots. These could be broken using standard tools by crypto experts. Do not rely on the difficulty of reverse engineering, since that does not guarantee the difficulty of breaking it;
•Pay attention to encryption mode. CBC using a random initialization vector is more secure than ECB, but the difference is negligible for a short password. Using these recommendations, we can rewrite example 1 as such:
Javapublic byte[] encrypt(String password){ try { Cipher aes = Cipher.getInstance( "AES" ); aes.init( Cipher.ENCRYPT_MODE, key ); return aes.doFinal( password.getBytes() ); } catch( Throwable ex ) { throw new IllegalStateException( ex ); }}
The Advanced Encryption Standard (AES) is a modern standard, recommended by crypto experts to protect data from unsanctioned access.
Java: Using Hardcoded CredentialsSeverity: lowLanguage: JavaShort description: The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external componentsFull description: https://localhost:443/scanner/article?articleName=/en/Java/CommonHardcodedPassword.html
Found Vulnerabilities:File name: apache-camel-2.17.1/components/camel-amqp/src/main/java/org/apache/camel/component/amqp/AMQPConnectionDetails.javaCode:
2526 public static final String AMQP_PORT = "AMQP_SERVICE_PORT";2728 public static final String AMQP_USERNAME = "AMQP_SERVICE_USERNAME";2930 public static final String AMQP_PASSWORD = "AMQP_SERVICE_PASSWORD";3132 private final String uri;3334 private final String username;35
![Page 19: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/19.jpg)
19 The report on detected vulnerabilities FILES
File name: apache-camel-2.17.1/components/camel-box/src/main/java/org/apache/camel/component/box/BoxEndpoint.javaCode:
43 lenientProperties = true)44// need to be lenient as the box component has a bunch of generated configuration classes that lacks documentation45public class BoxEndpoint extends AbstractApiEndpoint<BoxApiName, BoxConfiguration> {4647 private static final String SHARED_LINK_PROPERTY = "sharedLink";48 private static final String SHARED_PASSWORD_PROPERTY = "sharedPassword";4950 @UriParam51 private BoxConfiguration configuration;5253 // cached client
File name: apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/component/crypto/DigitalSignatureConstants.javaCode:
23public final class DigitalSignatureConstants {24 public static final String SIGNATURE_PRIVATE_KEY = "CamelSignaturePrivateKey";25 public static final String SIGNATURE_PUBLIC_KEY_OR_CERT = "CamelSignaturePublicKeyOrCert";26 public static final String SIGNATURE = "CamelDigitalSignature";27 public static final String KEYSTORE_ALIAS = "CamelSignatureKeyStoreAlias";28 public static final String KEYSTORE_PASSWORD = "CamelSignatureKeyStorePassword";29 30 private DigitalSignatureConstants() {31 // Helper Class32 }33}
File name: apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPSecretKeyAccessor.javaCode:
59 * have the same password60 * @param provider61 * @throws PGPException62 * @throws IOException63 */64 public DefaultPGPSecretKeyAccessor(byte[] secretKeyRing, String password, String provider) throws PGPException, IOException {65 ObjectHelper.notNull(secretKeyRing, "secretKeyRing");66 ObjectHelper.notEmpty(password, "password");67 ObjectHelper.notEmpty(provider, "provider");68 pgpSecretKeyring = 69 new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(new ByteArrayInputStream(secretKeyRing)),
File name: apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPDataFormat.javaCode:
42 public static final String KEY_FILE_NAME = "CamelPGPDataFormatKeyFileName";43 public static final String ENCRYPTION_KEY_RING = "CamelPGPDataFormatEncryptionKeyRing";44 public static final String KEY_PASSWORD = "CamelPGPDataFormatKeyPassword";45
![Page 20: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/20.jpg)
20 The report on detected vulnerabilities FILES
public static final String SIGNATURE_KEY_FILE_NAME = "CamelPGPDataFormatSignatureKeyFileName";46 public static final String SIGNATURE_KEY_RING = "CamelPGPDataFormatSignatureKeyRing";47 public static final String SIGNATURE_KEY_PASSWORD = "CamelPGPDataFormatSignatureKeyPassword";4849 //private static final Logger LOG = LoggerFactory.getLogger(PGPDataFormatChanged.class);5051 private String password; // only for decryption52 private String keyFileName;
File name: apache-camel-2.17.1/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPDataFormat.javaCode:
39 */40public class PGPDataFormat extends PGPKeyAccessDataFormat implements PGPPublicKeyAccessor, PGPSecretKeyAccessor {41 42 public static final String KEY_FILE_NAME = "CamelPGPDataFormatKeyFileName";43 public static final String ENCRYPTION_KEY_RING = "CamelPGPDataFormatEncryptionKeyRing";44 public static final String KEY_PASSWORD = "CamelPGPDataFormatKeyPassword";45 public static final String SIGNATURE_KEY_FILE_NAME = "CamelPGPDataFormatSignatureKeyFileName";46 public static final String SIGNATURE_KEY_RING = "CamelPGPDataFormatSignatureKeyRing";47 public static final String SIGNATURE_KEY_PASSWORD = "CamelPGPDataFormatSignatureKeyPassword";4849 //private static final Logger LOG = LoggerFactory.getLogger(PGPDataFormatChanged.class);
File name: apache-camel-2.17.1/components/camel-docker/src/main/java/org/apache/camel/component/docker/DockerConstants.javaCode:
6061 /**62 * Auth *63 */64 public static final String DOCKER_EMAIL = "CamelDockerEmail";65 public static final String DOCKER_PASSWORD = "CamelDockerPassword";66 public static final String DOCKER_SERVER_ADDRESS = "CamelDockerServerAddress";67 public static final String DOCKER_USERNAME = "CamelDockerUsername";6869 /**70 * Pull *
File name: apache-camel-2.17.1/components/camel-ftp/src/test/java/org/apache/camel/component/file/remote/sftp/SftpSimpleProduceThroughProxyTest.javaCode:
4445 // start http proxy46 HttpProxyServer proxyServer = new DefaultHttpProxyServer(proxyPort);47 proxyServer.addProxyAuthenticationHandler(new ProxyAuthorizationHandler() {48 @Override49 public boolean authenticate(String userName, String password) {50 return "user".equals(userName) && "password".equals(password);51 }52 });53 proxyServer.start();54
![Page 21: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/21.jpg)
21 The report on detected vulnerabilities FILES
File name: apache-camel-2.17.1/components/camel-gae/src/main/java/org/apache/camel/component/gae/login/GLoginBinding.javaCode:
38 39 /**40 * Name of the Camel header defining the login password. Overrides41 * {@link GLoginEndpoint#getPassword()}.42 */43 public static final String GLOGIN_PASSWORD = "CamelGloginPassword";44 45 /**46 * Name of the Camel header containing the resulting authentication token. 47 */48 public static final String GLOGIN_TOKEN = "CamelGloginToken";
File name: apache-camel-2.17.1/components/camel-jasypt/src/main/java/org/apache/camel/component/jasypt/JasyptPropertiesParser.javaCode:
8586 public void setAlgorithm(String algorithm) {87 this.algorithm = algorithm;88 }8990 public void setPassword(String password) {91 // lookup password as either environment or JVM system property92 if (password.startsWith("sysenv:")) {93 password = System.getenv(ObjectHelper.after(password, "sysenv:"));94 }95 if (password.startsWith("sys:")) {
File name: apache-camel-2.17.1/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpComponent.javaCode:
99 100 protected static final HashMap<String, ConnectorRef> CONNECTORS = new HashMap<String, ConnectorRef>();101 102 private static final Logger LOG = LoggerFactory.getLogger(JettyHttpComponent.class);103 private static final String JETTY_SSL_KEYSTORE = "org.eclipse.jetty.ssl.keystore";104 private static final String JETTY_SSL_KEYPASSWORD = "org.eclipse.jetty.ssl.keypassword";105 private static final String JETTY_SSL_PASSWORD = "org.eclipse.jetty.ssl.password";106107 protected String sslKeyPassword;108 protected String sslPassword;109 protected String sslKeystore;
File name: apache-camel-2.17.1/components/camel-jetty-common/src/main/java/org/apache/camel/component/jetty/JettyHttpComponent.javaCode:
100 protected static final HashMap<String, ConnectorRef> CONNECTORS = new HashMap<String, ConnectorRef>();101 102 private static final Logger LOG = LoggerFactory.getLogger(JettyHttpComponent.class);103 private static final String JETTY_SSL_KEYSTORE = "org.eclipse.jetty.ssl.keystore";104 private static final String JETTY_SSL_KEYPASSWORD = "org.eclipse.jetty.ssl.keypassword";
![Page 22: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/22.jpg)
22 The report on detected vulnerabilities FILES
105 private static final String JETTY_SSL_PASSWORD = "org.eclipse.jetty.ssl.password";106107 protected String sslKeyPassword;108 protected String sslPassword;109 protected String sslKeystore;110 protected Map<Integer, Connector> sslSocketConnectors;
File name: apache-camel-2.17.1/components/camel-restlet/src/main/java/org/apache/camel/component/restlet/RestletConstants.javaCode:
22 * @version 23 */24public final class RestletConstants {25 26 public static final String RESTLET_LOGIN = "CamelRestletLogin";27 public static final String RESTLET_PASSWORD = "CamelRestletPassword";28 public static final String RESTLET_REQUEST = "CamelRestletRequest";29 public static final String RESTLET_RESPONSE = "CamelRestletResponse";3031 private RestletConstants() {32 }
File name: apache-camel-2.17.1/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityConstants.javaCode:
21 */22public final class ShiroSecurityConstants {2324 public static final String SHIRO_SECURITY_TOKEN = "SHIRO_SECURITY_TOKEN";25 public static final String SHIRO_SECURITY_USERNAME = "SHIRO_SECURITY_USERNAME";26 public static final String SHIRO_SECURITY_PASSWORD = "SHIRO_SECURITY_PASSWORD";2728 private ShiroSecurityConstants() {29 }3031}
File name: apache-camel-2.17.1/components/camel-smpp/src/main/java/org/apache/camel/component/smpp/SmppConfiguration.javaCode:
47 @UriPath(defaultValue = "2775")48 private Integer port = 2775;49 @UriParam(defaultValue = "smppclient")50 private String systemId = "smppclient";51 @UriParam52 private String password = "password";53 @UriParam(defaultValue = "cp")54 private String systemType = "cp";55 @UriParam56 private byte dataCoding = (byte) 0;57 @UriParam(enums = "0,4,8")
File name: apache-camel-2.17.1/components/camel-smpp/src/main/java/org/apache/camel/component/smpp/SmppConstants.javaCode:
54 String SOURCE_ADDR_NPI = "CamelSmppSourceAddrNpi";55 String SOURCE_ADDR_TON = "CamelSmppSourceAddrTon";
![Page 23: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/23.jpg)
23 The report on detected vulnerabilities FILES
56 String SUBMITTED = "CamelSmppSubmitted";57 String SUBMIT_DATE = "CamelSmppSubmitDate";58 String SYSTEM_ID = "CamelSmppSystemId";59 String PASSWORD = "CamelSmppPassword";60 String VALIDITY_PERIOD = "CamelSmppValidityPeriod";61 String OPTIONAL_PARAMETERS = "CamelSmppOptionalParameters";62 String OPTIONAL_PARAMETER = "CamelSmppOptionalParameter";63 String SPLITTING_POLICY = "CamelSmppSplittingPolicy";64
File name: apache-camel-2.17.1/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.javaCode:
95 96 /**97 * @deprecated Use {@link #XMLSecurityDataFormat(String, Map, boolean, String, String, String, KeyStoreParameters)} instead.98 */99 @Deprecated100 public static final String XML_ENC_KEY_STORE_PASSWORD = "CamelXmlEncryptionKeyStorePassword";101 102 /**103 * @deprecated Use {@link #XMLSecurityDataFormat(String, Map, boolean, String, String, String, KeyStoreParameters)} instead.104 */105 @Deprecated
File name: apache-camel-2.17.1/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.javaCode:
83 84 /**85 * @deprecated Use {@link #XMLSecurityDataFormat(String, Map, boolean, String, String, String, KeyStoreParameters)} instead.86 */87 @Deprecated88 public static final String XML_ENC_TRUST_STORE_PASSWORD = "CamelXmlEncryptionTrustStorePassword";89 90 /**91 * @deprecated Use {@link #XMLSecurityDataFormat(String, Map, boolean, String, String, String, KeyStoreParameters)} instead.92 */ 93 @Deprecated
Using Hardcoded Credentials
There are two typical scenarios where a developer might use hardcoded credentials while working on an application:
•If the application has to connect to external services that require authorization, such as a DBMS or LDAP;
•If the application realizes authentication and client authorization for access to non-public functions. The most common variant of this would be a remote diagnostics or debugging feature. This type of feature is classified by experts as a backdoor. Regardless of the
![Page 24: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/24.jpg)
24 The report on detected vulnerabilities FILES
original purpose of the hardcoding credentials, their existence is a problem. In some cases, the malicious user can read these, and use them for unauthorized access to application functions, or to external services connected to it.
Example 1
Let's take a look at an example, where access to critical operations is granted to users that passed a login/password check. In addition to that, access is also granted to the test user with the password "debug" for remote debugging purposes:
Java@Overrideprotected void doGet( HttpServletRequest req, HttpServletResponse resp ) throws ServletException, IOException{ String login = req.getParameter( "login" ); String password = req.getParameter( "password" );
if( authenticate( login, password ) || "debug".equals( password ) ) { // обработка запроса }}
The "debug" password is not tracked by the centralized authentication system, which means it is impossible to turn it off using administrative measures. Moreover, the administrator might not even know about it. In this case, the constant password is not only an external threat, but could also be used by the developers for nefarious purposes.
Example 2
Let's take a look at an example where a constant login/password pair is used when connecting to a database:
Java...DriverManager.getConnection(url, "login", "password");...
If an outside user can get a look at the application source code, he will know the password, and he could gain access to the database. Changing the hardcoded password is only possible by updating the application. This means that in an event of a security breach, it would be impossible to close it quickly.
Note: The user does not need to have direct access to the source code, he could instead study the executable byte code using special tools.
Potential Consequences
The extent of potential problems depends on which authorization checks the given construction can bypass. In any case, using this method to bypass the standard control flow based on the username violates the overall security system, since it is not controlled by centralized methods.
Removal Recommendations•
We recommend against using hardcoded credentials;
•We recommend against using user account data to change information flow and bypass common authorization mechanisms. In this case the bypass is controlled by the system administrator, and can be closed after debugging the program;
•We recommend using common mechanisms to limit access to system resources, such as roles and user groups;
•Account data that application uses to interact with external resources should be stored outside the code. For example, they can be stored in encrypted configuration files, protected storage, or a database unavailable to the outside. If encryption is not possible, ensure
![Page 25: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/25.jpg)
25 The report on detected vulnerabilities FILES
that access privileges to the file are properly set up;
•When creating new application user accounts, we recommend against using default values. Insist the user change their password after the first login;
•When storing user accounts, we recommend using hash functions [1] in order to prevent access even if the storage is stolen. In this case, authentication processes compare the hashes, rather than the passwords themselves. We also recommend using a randomly generated salt [2] for every password. This will make breaking in significantly more difficult.
Java: Using Synchronization Primitives in EJB componentsSeverity: lowLanguage: JavaShort description: The Enterprise JavaBeans specification requires that every JavaBean object was platform-independent, and could function properly inside any application container. In order to fulfil this, the specification forbids using thread synchronization primitives inside JavaBeans componentsFull description: https://localhost:443/scanner/article?articleName=/en/Java/EjbRestrictionSynchronization.html
Found Vulnerabilities:File name: apache-camel-2.17.1/components/camel-bam/src/main/java/org/apache/camel/bam/model/ActivityState.javaCode:
54 @Override55 public String toString() {56 return "ActivityState[" + getId() + " on " + getProcessInstance() + " " + getActivityDefinition() + "]";57 }5859 public synchronized void processExchange(ActivityRules activityRules, ProcessContext context) throws Exception {60 int messageCount = 0;61 Integer count = getReceivedMessageCount();62 if (count != null) {63 messageCount = count.intValue();64 }65 setReceivedMessageCount(++messageCount);6667 if (messageCount == 1) {68 onFirstMessage(context);69 }70 int expectedMessages = activityRules.getExpectedMessages();71 if (messageCount == expectedMessages) {72 onExpectedMessage(context);73 } else if (messageCount > expectedMessages) {74 onExcessMessage(context);75 }76 }7778 /**79 * Returns true if this state is for the given activity80 */81 public boolean isActivity(ActivityRules activityRules) {82 return ObjectHelper.equal(getActivityDefinition(), activityRules.getActivityDefinition());83 }
![Page 26: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/26.jpg)
26 The report on detected vulnerabilities FILES
8485 // Properties86 // -----------------------------------------------------------------------
Using Synchronization Primitives in EJB components
The Enterprise JavaBeans specification requires that every JavaBean object was platform-independent, and could function properly inside any application container. In order to fulfil this, the specification forbids using thread synchronization primitives inside JavaBeans components
Example
Let's take a look at a component example that is an element of data model. In order to ensure thread security, the setter methods are marked with the synchronized keyword.
Java@Entitypublic class Customer implements Serializable {
private String id; private String firstName; private String lastName; private Address address;
public Customer() {...}
public Customer(String id, String firstName, String lastName) {...}
@Id public String getCustomerId() {...}
public synchronized void setCustomerId(String id) {...}
public String getFirstName() {...}
public synchronized void setFirstName(String firstName) {...}
public String getLastName() {...}
public synchronized void setLastName(String lastName) {...}
@OneToOne() public Address getAddress() {...}
public synchronized void setAddress(Address address) {...}}
This model violates the specification requirements. Some EJB containers use only one JVM, while others split component exemplars through several JVM. In this case, the synchronization primitives behave unpredictably.
Potential Consequences
Lowering the application portability and overall quality.
Removal Recommendations
We recommend against using synchronization primitives when realizing JavaBeans components.
Java: Violating the Java Object Model
![Page 27: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/27.jpg)
27 The report on detected vulnerabilities FILES
Severity: lowLanguage: JavaShort description: If an object redefines the equals() method without redefining the hashCode() method, it violates the Java object model requirement that equivalent objects must have an equivalent hash.Full description: https://localhost:443/scanner/article?articleName=/en/Java/RestrictionObjectModelViolation.html
Found Vulnerabilities:File name: apache-camel-2.17.1/components/camel-cxf/src/test/java/org/apache/camel/component/cxf/soap/headers/Constants.javaCode:
14 * See the License for the specific language governing permissions and15 * limitations under the License.16 */17package org.apache.camel.component.cxf.soap.headers;1819public final class Constants {2021 public static final String TEST_HDR_NS = "http://cxf.apache.org/outofband/Header";22 public static final String TEST_HDR_REQUEST_ELEM = "outofbandHeader";23 public static final String TEST_HDR_RESPONSE_ELEM = "outofbandHeader";24 public static final SOAPHeaderData IN_HEADER_DATA = new SOAPHeaderData();25 public static final SOAPHeaderData OUT_HEADER_DATA = new SOAPHeaderData();26 public static final SOAPHeaderData IN_OUT_REQUEST_HEADER_DATA = new SOAPHeaderData();27 public static final SOAPHeaderData IN_OUT_RESPONSE_HEADER_DATA = new SOAPHeaderData();28 29 static {30 IN_HEADER_DATA.setOriginator("CxfSoapHeaderRoutePropagationTest.testInHeader"); 31 IN_HEADER_DATA.setMessage("Invoking CxfSoapHeaderRoutePropagationTest.testInHeader()");32 OUT_HEADER_DATA.setOriginator("CxfSoapHeaderRoutePropagationTest.testOutHeader"); 33 OUT_HEADER_DATA.setMessage("Invoking CxfSoapHeaderRoutePropagationTest.testOutHeader()");34 IN_OUT_REQUEST_HEADER_DATA.setOriginator("CxfSoapHeaderRoutePropagationTest.testInOutHeader Requestor"); 35 IN_OUT_REQUEST_HEADER_DATA.setMessage("Invoking CxfSoapHeaderRoutePropagationTest.testInOutHeader() Request");36 IN_OUT_RESPONSE_HEADER_DATA.setOriginator("CxfSoapHeaderRoutePropagationTest.testInOutHeader Responser"); 37 IN_OUT_RESPONSE_HEADER_DATA.setMessage("Invoking CxfSoapHeaderRoutePropagationTest.testInOutHeader() Responser");38 }39 40 private Constants() {41 }42 43 public static boolean equals(SOAPHeaderData lhs, SOAPHeaderData rhs) {44 if (compare(lhs, rhs)) {45 return true;46 }47 if (compare(lhs.getMessage(), rhs.getMessage())) {48 return true;49 }50 if (compare(lhs.getOriginator(), rhs.getOriginator())) {51 return true;52 }53 return false;54 }55 56 public static <L, R> boolean compare(L lhs, R rhs) {57 if (lhs == rhs) {58 return true;59 }60 if (lhs == null || rhs == null && lhs != rhs) {
![Page 28: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/28.jpg)
28 The report on detected vulnerabilities FILES
61 return false;62 }62...
Violating the Java Object Model
If an object redefines the equals() method without redefining the hashCode() method, it violates the Java object model requirement that equivalent objects must have an equivalent hash.
Example
Let's take a look at an Article type object
Javapublic class Article{ private final String name;
public Article( String name ) { this.name = name; }
@Override public boolean equals(Object o) { if( this == o ) return true; if( !( o instanceof Article ) ) return false; return name.equals( ((Article)o).name ); }}
The Article class redefines the equals() method in such a way that articles are considered equal if they have equal names. The class does not redefine the hashCode() method. By default, every object inherits the hashCode() method from the base Object class, and uses the object's address in the memory as its hash. This means that two object of the Article class will have different hashes, even if they are equal.
Let's take a look at a collection Article objects:
Javapublic static void main(String[] args) { HashSet<Article> articles = new HashSet<Article> (); Article a1 = new Article("My Article"); Article a2 = new Article("My Article"); articles.add(a1); articles.add(a2); }
The code in the example works fine, since a1.hashCode()!=a2.hashCode(). In the add method description you can see that only unique objects are added to a collection. In other words, the following must be true: an object e is added to the collection if there is no object e2 such that (e==null ? e2==null:e.equals(e2)). This means that our example vontradicts the definition of HashSet.
HashSet is not the only example of a collection that breaks the object model.
Potential Consequences
Breaking this requirement of equal hash codes for equal objects will lead to problems in dealing with collections, as well as errors in application logic. This is especially critical in dealing with hash tables and sets.
Removal Recommendations
![Page 29: Report on found vulnerabilities - InfoWatch · 2 The report on detected vulnerabilities FILES File name Files Lines Vulnerabilities by severity apache-camel-2.17.1-src.zip MD5:996d271338b4a99145dca8f0e85bbe35](https://reader035.fdocuments.us/reader035/viewer/2022070711/5ec9815e840bd01f0a0e246d/html5/thumbnails/29.jpg)
29 The report on detected vulnerabilities FILES
The realized class has to redefine both equals() and hashCode() in such a way that this requirement is fulfilled:
Javao1.equals(o2) && (o1.hashCode() == o2.hashCode())
By default, the equals() method only returns true if the object is compared to itself. Hash codes are unique (as much as possible, of course) to each object.