search

jakartaee / expression-language

Jakarta Expression Language
https://eclipse.org/ee4j/el
Other
60 stars 49 forks source link

GHSL-2020-021 - Bypass input sanitization of EL expressions #155

Closed mpiggott closed 2 years ago

mpiggott commented 3 years ago

Github posted this publicly about 2-weeks ago - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

erlioniel commented 3 years ago

Hello, As a library user I would like to hear some info about how the team is suppose to handle the vulnerability. Is there any plans to react & fix the issue?

Br. Vladimir

markt-asf commented 3 years ago

Here is everything I know.

This was reported to the Eclipse security team on 2020-04-14. The EL project lead was informed via being CC'd on the BugZilla issue on 2020-04-20. I don't know if the EL project lead received that email or whether it was lost in a spam filter etc. I haven't been able to identify any further activity at Eclipse since then. You need to be an Eclipse committer to access that issue but (AFAICT) there isn't any information there that isn't in the published report or this comment.

I found out about this issue via $work a couple of days ago. As a Tomcat committer I wanted to check whether Tomcat was also vulnerable since the Jakarta EL implementation was originally forked from Tomcat. Tomcat was fixed in a commit some time ago. That fix may not apply directly to Jakarta EL as there have been other fixes to Tomcat's EL parsing grammar since the fork.

The Tomcat fixes are available to the Jakarta EL project under the ALv2.

The main focus of my time is Apache Tomcat. My work at Jakarta is on the specifications and the APIs. I simply don't have the time to maintain the Jakarta implementations as well.

For folks that need an immediate fix, my recommendation would be to use a different implementation where the issue has been fixed / doesn't exist. The benefit of the Java EE / Jakarta EE specs is that you should be able to freely switch implementations.

waynebeaton commented 3 years ago

I've assigned CVE-2021-28170 and have pushed a report to the central authority. I will continue to monitor this issue and push updates to the report as requested by the project team.

TomasHofman commented 3 years ago

Proposed PR: https://github.com/eclipse-ee4j/el-ri/pull/160