Community
Participate
Working Groups
Java deserialization can give rise to security issues. We should review MAT for possible issues. Possible areas: SnapshotImpl.java - risk with untrusted pre-parsed dumps with indices SnapshotHistoryService.java - slight risk with untrusted access to MAT create file holding the history QueryHistory.java - slight risk with untrusted access to MAT created file holding the history The latter two would only be more of a risk if the untrusted user did not have access to change the executables or plugins, but could change the history files.
Security issue so marked as such.
Created attachment 281337 [details] Validate classes This validates the classes on deserialization. We should double-check that the approved classes cannot cause a problem.
New Gerrit change created: https://git.eclipse.org/r/155817
Gerrit change https://git.eclipse.org/r/155817 was merged to [1.9.x]. Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=e2f6b9689392e8874d47374f3ec21addcb2a3872
New Gerrit change created: https://git.eclipse.org/r/155836
Gerrit change https://git.eclipse.org/r/155836 was merged to [master]. Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=3d19751e12bcbd997e555843bd1e90186374641d
Draft CVE [CVE-ID]: CVE-2020- [PRODUCT]: Eclipse Memory Analyzer [VERSION]: All versions prior to version 1.9.2 [PROBLEMTYPE]:CWE-502: Deserialization of Untrusted Data [REFERENCES]: CONFIRM:https://bugs.eclipse.org/bugs/show_bug.cgi?id=558633 [DESCRIPTION]: Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system. [ASSIGNINGCNA]: Eclipse Foundation
I've assigned CVE-2019-17635. Let me know when you're ready and we'll remove the "committers-only" flag and push the report.
We are ready. You can go on and push the report.
Pull request: https://github.com/CVEProject/cvelist/pull/3051