Summary: | Deserialization issues | ||||||
---|---|---|---|---|---|---|---|
Product: | [Tools] MAT | Reporter: | Andrew Johnson <andrew_johnson> | ||||
Component: | Core | Assignee: | Project Inbox <mat.core-inbox> | ||||
Status: | RESOLVED FIXED | QA Contact: | |||||
Severity: | normal | ||||||
Priority: | P3 | CC: | krum.tsvetkov, wayne.beaton | ||||
Version: | 1.9 | Keywords: | security | ||||
Target Milestone: | 1.9.2 | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
See Also: |
https://git.eclipse.org/r/155817 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=e2f6b9689392e8874d47374f3ec21addcb2a3872 https://git.eclipse.org/r/155836 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=3d19751e12bcbd997e555843bd1e90186374641d |
||||||
Whiteboard: | |||||||
Attachments: |
|
Description
Andrew Johnson
Security issue so marked as such. Created attachment 281337 [details]
Validate classes
This validates the classes on deserialization. We should double-check that the approved classes cannot cause a problem.
New Gerrit change created: https://git.eclipse.org/r/155817 Gerrit change https://git.eclipse.org/r/155817 was merged to [1.9.x]. Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=e2f6b9689392e8874d47374f3ec21addcb2a3872 New Gerrit change created: https://git.eclipse.org/r/155836 Gerrit change https://git.eclipse.org/r/155836 was merged to [master]. Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=3d19751e12bcbd997e555843bd1e90186374641d Draft CVE [CVE-ID]: CVE-2020- [PRODUCT]: Eclipse Memory Analyzer [VERSION]: All versions prior to version 1.9.2 [PROBLEMTYPE]:CWE-502: Deserialization of Untrusted Data [REFERENCES]: CONFIRM:https://bugs.eclipse.org/bugs/show_bug.cgi?id=558633 [DESCRIPTION]: Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system. [ASSIGNINGCNA]: Eclipse Foundation I've assigned CVE-2019-17635. Let me know when you're ready and we'll remove the "committers-only" flag and push the report. We are ready. You can go on and push the report. Pull request: https://github.com/CVEProject/cvelist/pull/3051 |