Re: [Jython-users] CVE-2016-4000

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello Adam,</div>

<div>&nbsp;</div>

<div>thank you for quick response.</div>

<div>&nbsp;</div>

<div>Basicly we have a java application which provides as a part of it a python code editor so you can execute your own python scripts.</div>

<div>&nbsp;</div>

<div>I think if you only can inject python code the issue should be not a critical&nbsp;issue, because the user has the possibility&nbsp;to write the code directly in the script.</div>

<div>But if there could be executed any code to attack the server, it would be much worse.</div>

<div>&nbsp;</div>

<div>
<div>In the new version of our application we use the 2.7.1 version, but one of our customers uses a 2 years old version of our application and there is still the 2.5.3 version of jython in use.</div>
To upgrade to 2.7.1 would be my last choice, because the application grew quite big and sadly there would be very many changes required in the old code.</div>

<div>&nbsp;</div>

<div>Best regards,</div>

<div>Samuel</div>

<div>&nbsp;
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b>&nbsp;Freitag, 21. Juni 2019 um 13:26 Uhr<br/>
<b>Von:</b>&nbsp;&quot;Adam Burke&quot; &lt;ada...@gm...&gt;<br/>
<b>An:</b>&nbsp;&quot;Samuel Schober&quot; &lt;sam...@we...&gt;, &quot;jyt...@li...&quot; &lt;jyt...@li...&gt;<br/>
<b>Betreff:</b>&nbsp;Re: [Jython-users] CVE-2016-4000</div>

<div name="quoted-content">
<div><span>Going from the bug report, I didn&rsquo;t work on it, and a core dev could correct me, but it&rsquo;s specifically about deserializing Python objects.</span>

<div>&nbsp;</div>

<div><a href="https://hg.python.org/jython/rev/d06e29d100c0" target="_blank"><font color="#000000">https://hg.python.org/jython/rev/d06e29d100c0</font></a></div>

<div>&nbsp;</div>

<div><span>It would depend on whether your app had an exposed endpoint that accepted Python objects. All the usual caveats about eg web form data hygiene apply.</span></div>

<div>&nbsp;</div>

<div><span>Without knowing your exact organizational or technical constraint, I would mention</span><span>&nbsp;that security bugs can be excellent sticks for pushing through needed, but delayed, upgrades to current versions of infrastructure and libraries, like upgrading to Jython 2.7.1. Priorities can suddenly realign.</span></div>

<div>&nbsp;</div>
Cheers

<div id="AppleMailSignature">Adam</div>

<div><br/>
&#22312; 2019&#24180;6&#26376;21&#26085;&#65292;&#19979;&#21320;9:19&#65292;Adam Burke &lt;<a href="mailto:ada...@gm..." onclick="parent.window.location.href=&#39;mailto:ada...@gm...&#39;; return false;" target="_blank">ada...@gm...</a>&gt; &#20889;&#36947;&#65306;<br/>
&nbsp;</div>

<blockquote>
<div>Going from the bug report, it&rsquo;s specifically about deserializing Python objects.
<div>&nbsp;</div>

<div><a href="https://hg.python.org/jython/rev/d06e29d100c0" target="_blank">https://hg.python.org/jython/rev/d06e29d100c0</a></div>

<div>&nbsp;</div>

<div>It would depend on whether your app had an exposed endpoint that accepted Python objects. All the usual caveats about eg web form data hygiene apply.</div>

<div>&nbsp;</div>

<div>Without knowing your exact organizational or technical constraint, I would say that security bugs can be excellent sticks for pushing through needed, but delayed, upgrades to current versions of infrastructure and libraries, like upgrading to Jython 2.7.1. Priorities can suddenly realign.</div>

<div>&nbsp;</div>

<div>Cheers
<div id="AppleMailSignature">Adam</div>

<div><br/>
&#22312; 2019&#24180;6&#26376;21&#26085;&#65292;&#19979;&#21320;8:57&#65292;Samuel Schober &lt;<a href="mailto:sam...@we..." onclick="parent.window.location.href=&#39;mailto:sam...@we...&#39;; return false;" target="_blank">sam...@we...</a>&gt; &#20889;&#36947;&#65306;<br/>
&nbsp;</div>

<blockquote>
<div>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>
<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">Hello,</span></span></p>

<p>&nbsp;</p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">I am using the jython package for an project and have a question about an issue you had.</span></span></p>

<p>&nbsp;</p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">The used version is 2.5.3 and unfortunally it can not be updated to 2.7.1. Now I found the following issue:&nbsp;</span></span></p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000" style="color: rgb(5,99,193);text-decoration: underline;" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000</a></span></span></p>

<p>&nbsp;</p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">It notices that jython allows attackers to execute arbitrary code and I wanted to ask what kind of code could be executed?</span></span></p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">Is it only python code which could be executed or is it possible to execute any kind of binary code? </span></span></p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">And is it possible&nbsp;to have influence on the server outside of the application or does it just affect my application?</span></span></p>

<p>&nbsp;</p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">I hope you can help me with that question.</span></span></p>

<p>&nbsp;</p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">Best regards,</span></span></p>

<p><span style="font-size: 11.0pt;"><span style="font-family: Calibri , sans-serif;">Samuel Schober</span></span></p>
</div>
</div>
</div>
</blockquote>

<blockquote>
<div>&nbsp;</div>
</blockquote>

<blockquote>
<div><span>_______________________________________________</span><br/>
<span>Jython-users mailing list</span><br/>
<span><a href="mailto:Jyt...@li..." onclick="parent.window.location.href=&#39;mailto:Jyt...@li...&#39;; return false;" target="_blank">Jyt...@li...</a></span><br/>
<span><a href="https://lists.sourceforge.net/lists/listinfo/jython-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/jython-users</a></span></div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div></div></body></html>