558633 – (CVE-2019-17635) Deserialization issues

Bug 558633 (CVE-2019-17635) - Deserialization issues

Summary: Deserialization issues

Status:	RESOLVED FIXED

Alias:	CVE-2019-17635

Product:	MAT
Classification:	Tools
Component:	Core (show other bugs)
Version:	1.9
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	1.9.2
Assignee:	Project Inbox
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2019-12-26 06:09 EST by Andrew Johnson
Modified:	2021-02-26 05:06 EST (History)
CC List:	2 users (show)

See Also:	Gerrit Change Git Commit Gerrit Change Git Commit

Attachments
Validate classes (12.26 KB, patch) 2019-12-26 06:11 EST, Andrew Johnson	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Johnson

2019-12-26 06:09:13 EST

Java deserialization can give rise to security issues. We should review MAT for possible issues.

Possible areas:
SnapshotImpl.java - risk with untrusted pre-parsed dumps with indices
SnapshotHistoryService.java - slight risk with untrusted access to MAT create file holding the history
QueryHistory.java - slight risk with untrusted access to MAT created file holding the history

The latter two would only be more of a risk if the untrusted user did not have access to change the executables or plugins, but could change the history files.

Comment 1 Andrew Johnson

2019-12-26 06:09:35 EST

Security issue so marked as such.

Comment 2 Andrew Johnson

2019-12-26 06:11:47 EST

Created attachment 281337 [details]
Validate classes

This validates the classes on deserialization. We should double-check that the approved classes cannot cause a problem.

Comment 3 Eclipse Genie

2020-01-14 03:54:34 EST

New Gerrit change created: https://git.eclipse.org/r/155817

Comment 4 Eclipse Genie

2020-01-14 04:08:48 EST

Gerrit change https://git.eclipse.org/r/155817 was merged to [1.9.x].
Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=e2f6b9689392e8874d47374f3ec21addcb2a3872

Comment 5 Eclipse Genie

2020-01-14 08:31:34 EST

New Gerrit change created: https://git.eclipse.org/r/155836

Comment 6 Eclipse Genie

2020-01-14 08:35:58 EST

Gerrit change https://git.eclipse.org/r/155836 was merged to [master].
Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=3d19751e12bcbd997e555843bd1e90186374641d

Comment 7 Andrew Johnson

2020-01-16 02:32:10 EST

Draft CVE

[CVE-ID]: CVE-2020-
[PRODUCT]: Eclipse Memory Analyzer
[VERSION]: All versions prior to version 1.9.2
[PROBLEMTYPE]:CWE-502: Deserialization of Untrusted Data
[REFERENCES]: CONFIRM:https://bugs.eclipse.org/bugs/show_bug.cgi?id=558633
[DESCRIPTION]: Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system. 
[ASSIGNINGCNA]: Eclipse Foundation

Comment 8 Wayne Beaton

2020-01-16 10:54:27 EST

I've assigned CVE-2019-17635.

Let me know when you're ready and we'll remove the "committers-only" flag and push the report.

Comment 9 Krum Tsvetkov

2020-01-17 12:28:45 EST

We are ready. You can go on and push the report.

Comment 10 Wayne Beaton

2020-01-17 13:34:09 EST

Pull request: https://github.com/CVEProject/cvelist/pull/3051