github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.42k stars 245 forks source link

Java (Maven): Use of insecure protocol to download/upload artifacts #21

Closed JLLeitschuh closed 4 years ago

JLLeitschuh commented 5 years ago

Published Research

mitm_build Want to take over the Java ecosystem? All you need is a MITM!

CVE ID(s)

There are other projects without CVE numbers that need assignment still: https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit#gid=0

Report

CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-494: Download of Code Without Integrity Check

At the beginning of 2019, I began a multi-month long research project into the use of HTTP instead of HTTPS across the Java ecosystem. I found that many of the most popular projects in the ecosystem were using HTTP to resolve and upload artifacts that those projects downloaded and built.

This included projects such as these:

As part of this research, I reached out to many of the most popular artifact servers in the Java ecosystem and asked them to join an initiative to formally decommission the use of HTTP on January 15th, 2020.

The links to the announcements by these organizations can be found here.

At the time, the team at Sonatype Maven Central let me know that after analyzing their traffic for a month, they determined that 25% of their downloads still used HTTP instead of HTTPS.

I already have, but would post an updated post after this was merged.

Query

Unfortunately, since QL doesn't allow me to create querries against Gradle build logic yet, I'm only currently able to support Maven Pom XML files. However, this should still cover ~50% of the entire Java build tool ecosystem.

https://github.com/Semmle/ql/pull/2413

JLLeitschuh commented 4 years ago

Currently, working on a draft for an article titled 'Update: Want to take over the Java ecosystem? All you need is a MITM!' which will mention this new QL query.

JLLeitschuh commented 4 years ago

Merged! 😄

xcorail commented 4 years ago

High severity-ranking Payment order reviewed and 👍 Ready to 💰

JLLeitschuh commented 4 years ago

Shared to twitter here: https://twitter.com/JLLeitschuh/status/1207402070007066624?s=20

Thanks GitHub Team! Pleasure working with you as always!