jave2 icon indicating copy to clipboard operation
jave2 copied to clipboard

Published 20 hours ago verified publisher icon a-schild

Security Vulnerability Alert and Request for Fix: SNYK-JAVA-WSSCHILD-6154599 / CVE-2023-48909

Open luzhanov opened this issue 1 year ago • 2 comments
trafficstars

Hi @a-schild, I am writing to bring to your attention a recently discovered security vulnerability in jave2 posted in Snyk database:

Vulnerability Details:

Identifier: SNYK-JAVA-WSSCHILD-6154599 Level: CRITICAL Description: Snyk Vulnerability Report - I'm not 100% sure it is a public link Description CVE: https://www.cve.org/CVERecord?id=CVE-2023-48909

This vulnerability poses a risk to the security and integrity of applications that use jave2 library as a dependency.

I am reaching out to discuss the potential steps we can take towards a resolution.

Thank you for your time and dedication to maintaining the high standards of jave2 library. I look forward to your guidance on how best to proceed.

luzhanov avatar Jan 18 '24 16:01 luzhanov

@luzhanov Thanks to bring me this to attention.

Tha's a rather strange ccv. It just says that you can run any OS command, when you use the executor class. That would be the same as reporting a vulnerability in bash, since there you can also run any command...

The java built in Runtime.getRuntime().exec(...) method would then also be security vulnerable

a-schild avatar Jan 19 '24 10:01 a-schild

Here are a few suggestions what can potentially be done (not specifically fixing a potential vulnerability, but rather improvements):

  1. Replace Runtime().exec() with ProcessBuilder, something like this:
    ProcessBuilder processBuilder = new ProcessBuilder(execList);
    ffmpeg = processBuilder.start();

    if (destroyOnRuntimeShutdown) {
      ffmpegKiller = new ProcessKiller(ffmpeg);
      Runtime.getRuntime().addShutdownHook(ffmpegKiller);
    }
  1. Implementing characters validation for commands inputted by the user (removing suspicious characters). This may be challenging, as FFMPEG utilizes various characters in its configurations, and some special characters are valid in file names.

As I can see from Semgrep recommendation on command injection, there is not much room for optimization. https://semgrep.dev/docs/cheat-sheets/java-command-injection/

  1. The most complex solution I thought of is:
    1. Add new enum ArgEnum which will hold all arguments which are currently hardcoded in project
    2. Create method ProcessWrapper.addArgument(ArgEnum argument) which will add arguments without checking
    3. Any other argument from user will be added via existing ProcessWrapper.addArgument(String arg) but with extra validation.

luzhanov avatar Jan 19 '24 12:01 luzhanov