Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability Alert and Request for Fix: SNYK-JAVA-WSSCHILD-6154599 / CVE-2023-48909 #258

Open
luzhanov opened this issue Jan 18, 2024 · 2 comments

Comments

@luzhanov
Copy link

luzhanov commented Jan 18, 2024

Hi @a-schild, I am writing to bring to your attention a recently discovered security vulnerability in jave2 posted in Snyk database:

Vulnerability Details:

Identifier: SNYK-JAVA-WSSCHILD-6154599
Level: CRITICAL
Description: Snyk Vulnerability Report - I'm not 100% sure it is a public link
Description CVE: https://www.cve.org/CVERecord?id=CVE-2023-48909

This vulnerability poses a risk to the security and integrity of applications that use jave2 library as a dependency.

I am reaching out to discuss the potential steps we can take towards a resolution.

Thank you for your time and dedication to maintaining the high standards of jave2 library. I look forward to your guidance on how best to proceed.

@luzhanov luzhanov changed the title Security Vulnerability Alert and Request for Fix: SNYK-JAVA-WSSCHILD-6154599 Security Vulnerability Alert and Request for Fix: SNYK-JAVA-WSSCHILD-6154599 / CVE-2023-48909 Jan 18, 2024
@a-schild
Copy link
Owner

a-schild commented Jan 19, 2024

@luzhanov Thanks to bring me this to attention.

Tha's a rather strange ccv.
It just says that you can run any OS command, when you use the executor class.
That would be the same as reporting a vulnerability in bash, since there you can also run any command...

The java built in Runtime.getRuntime().exec(...) method would then also be security vulnerable

@luzhanov
Copy link
Author

Here are a few suggestions what can potentially be done (not specifically fixing a potential vulnerability, but rather improvements):

  1. Replace Runtime().exec() with ProcessBuilder, something like this:
    ProcessBuilder processBuilder = new ProcessBuilder(execList);
    ffmpeg = processBuilder.start();

    if (destroyOnRuntimeShutdown) {
      ffmpegKiller = new ProcessKiller(ffmpeg);
      Runtime.getRuntime().addShutdownHook(ffmpegKiller);
    }
  1. Implementing characters validation for commands inputted by the user (removing suspicious characters). This may be challenging, as FFMPEG utilizes various characters in its configurations, and some special characters are valid in file names.

As I can see from Semgrep recommendation on command injection, there is not much room for optimization.
https://semgrep.dev/docs/cheat-sheets/java-command-injection/

  1. The most complex solution I thought of is:
    1. Add new enum ArgEnum which will hold all arguments which are currently hardcoded in project
    2. Create method ProcessWrapper.addArgument(ArgEnum argument) which will add arguments without checking
    3. Any other argument from user will be added via existing ProcessWrapper.addArgument(String arg) but with extra validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants