Bug 558633 (CVE-2019-17635)

Summary: Deserialization issues
Product: [Tools] MAT Reporter: Andrew Johnson <andrew_johnson>
Component: CoreAssignee: Project Inbox <mat.core-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: krum.tsvetkov, wayne.beaton
Version: 1.9Keywords: security
Target Milestone: 1.9.2   
Hardware: All   
OS: All   
See Also: https://git.eclipse.org/r/155817
https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=e2f6b9689392e8874d47374f3ec21addcb2a3872
https://git.eclipse.org/r/155836
https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=3d19751e12bcbd997e555843bd1e90186374641d
Whiteboard:
Attachments:
Description Flags
Validate classes none

Description Andrew Johnson CLA 2019-12-26 06:09:13 EST
Java deserialization can give rise to security issues. We should review MAT for possible issues.

Possible areas:
SnapshotImpl.java - risk with untrusted pre-parsed dumps with indices
SnapshotHistoryService.java - slight risk with untrusted access to MAT create file holding the history
QueryHistory.java - slight risk with untrusted access to MAT created file holding the history

The latter two would only be more of a risk if the untrusted user did not have access to change the executables or plugins, but could change the history files.
Comment 1 Andrew Johnson CLA 2019-12-26 06:09:35 EST
Security issue so marked as such.
Comment 2 Andrew Johnson CLA 2019-12-26 06:11:47 EST
Created attachment 281337 [details]
Validate classes

This validates the classes on deserialization. We should double-check that the approved classes cannot cause a problem.
Comment 3 Eclipse Genie CLA 2020-01-14 03:54:34 EST
New Gerrit change created: https://git.eclipse.org/r/155817
Comment 5 Eclipse Genie CLA 2020-01-14 08:31:34 EST
New Gerrit change created: https://git.eclipse.org/r/155836
Comment 7 Andrew Johnson CLA 2020-01-16 02:32:10 EST
Draft CVE

[CVE-ID]: CVE-2020-
[PRODUCT]: Eclipse Memory Analyzer
[VERSION]: All versions prior to version 1.9.2
[PROBLEMTYPE]:CWE-502: Deserialization of Untrusted Data
[REFERENCES]: CONFIRM:https://bugs.eclipse.org/bugs/show_bug.cgi?id=558633
[DESCRIPTION]: Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system. 
[ASSIGNINGCNA]: Eclipse Foundation
Comment 8 Wayne Beaton CLA 2020-01-16 10:54:27 EST
I've assigned CVE-2019-17635.

Let me know when you're ready and we'll remove the "committers-only" flag and push the report.
Comment 9 Krum Tsvetkov CLA 2020-01-17 12:28:45 EST
We are ready. You can go on and push the report.
Comment 10 Wayne Beaton CLA 2020-01-17 13:34:09 EST
Pull request: https://github.com/CVEProject/cvelist/pull/3051