Update esapi to 2.2.1.1

[Veranicus]

Dependency org.owasp.esapi:esapi:2.2.0.0 has a security vulnerability in commons-beanutils:commons-beanutils:1.9.3, specifically CWE-502.

[jzheaux]

Thanks for the report, @Veranicus. Have you already reached out to ESAPI about it? Since they are directly dependent on it, that's the ideal place to address this.

It looks like their next GA release will use 1.9.4.

[Veranicus]

Can this pose a real security threat ? Should we stop using this library until version is upgraded and released ? I already contacted ESAPI, they told me they are aware of this error and that it's going to be fixed in an upcoming version.

[jzheaux]

It's a little tricky to say definitively. Insecure deserialization is typically a problem if you are deserializing untrusted Java objects and you've got something on the classpath that can be leveraged as a serialization gadget. Without knowing the precise exploit details, I'd imagine there is a problem with some composition of classes in commons-beanutils that can be leveraged to formulate such a gadget that is activated during deserialization. It can also happen when deserializing any format (not just Java serialization) where the Java class can be specified by the serialized payload.

Regarding whether you should stop using spring-security-saml, what I'd recommend is that you take a look at Spring Security's built-in support for SAML 2.0 since spring-security-saml is in maintenance mode, and no further minor or major releases are planned. The development against the OpenSAML 3.x and Spring Security 5.x is active.

While spring-security-saml remains in maintenance mode, a best effort will be made to keep dependencies up to date; however, know that it's currently dependent on other libraries (HttpClient 3.1, for example) with open CVEs for which spring-security-saml has no upgrade path.

[frombrest]

Dependency: commons-collections:commons-collections:jar:3.2.1:compile https://nvd.nist.gov/vuln/detail/CVE-2015-6420

Could you migrate to commons-collections:commons-collections:jar:3.2.2:compile to fix it?

[jzheaux]

@frombrest, the most recent GA version already uses 3.2.2, or did I misunderstand?

[jzheaux]

The ESAPI 2.2.1.1 release is not backward compatible with the latest 2.x OpenSAML version. Since there are no planned releases for OpenSAML 2.x, it's unlikely that Spring Security SAML will be able to take the upgrade.

For those needing commons-beanutils:1.9.4, consider specifying the dependency in your POM.

For those needing esapi:2.2.1.1, you will need to extend org.opensaml.DefaultBootstrap to override the initializeESAPI method and create your own implementation of org.owasp.esapi.SecurityConfiguration.