Re: [Jython-users] CVE-2016-4000

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Without knowing anything about your project let me throw out there.. people
can write their own py scripts and run them on your server?

Is that sandboxed at all? specific packages only? (shoudl be jailed hard
somehow...)

Because pythin has many packages for say..
- executing binaries (running external programs); wouldn't take more than
an exec/system to rm -rf / :)
- read or write over system config files
- pull in any old system shared library and invoke calls to it (ctypes etc)

So, without knowing details, no one can provide advice; but 'run python
scripts' basicly means 'wide open' in my book :)

On Fri, Jun 21, 2019 at 8:33 AM Samuel Schober <sam...@we...> wrote:

> Hello Adam,
>
> thank you for quick response.
>
> Basicly we have a java application which provides as a part of it a python
> code editor so you can execute your own python scripts.
>
> I think if you only can inject python code the issue should be not a
> critical issue, because the user has the possibility to write the code
> directly in the script.
> But if there could be executed any code to attack the server, it would be
> much worse.
>
> In the new version of our application we use the 2.7.1 version, but one of
> our customers uses a 2 years old version of our application and there is
> still the 2.5.3 version of jython in use.
> To upgrade to 2.7.1 would be my last choice, because the application grew
> quite big and sadly there would be very many changes required in the old
> code.
>
> Best regards,
> Samuel
>
> *Gesendet:* Freitag, 21. Juni 2019 um 13:26 Uhr
> *Von:* "Adam Burke" <ada...@gm...>
> *An:* "Samuel Schober" <sam...@we...>, "
> jyt...@li..." <jyt...@li...>
> *Betreff:* Re: [Jython-users] CVE-2016-4000
> Going from the bug report, I didn’t work on it, and a core dev could
> correct me, but it’s specifically about deserializing Python objects.
>
> https://hg.python.org/jython/rev/d06e29d100c0
>
> It would depend on whether your app had an exposed endpoint that accepted
> Python objects. All the usual caveats about eg web form data hygiene apply.
>
> Without knowing your exact organizational or technical constraint, I would
> mention that security bugs can be excellent sticks for pushing through
> needed, but delayed, upgrades to current versions of infrastructure and
> libraries, like upgrading to Jython 2.7.1. Priorities can suddenly realign.
>
> Cheers
> Adam
>
> 在 2019年6月21日，下午9:19，Adam Burke <ada...@gm...> 写道：
>
>
> Going from the bug report, it’s specifically about deserializing Python
> objects.
>
> https://hg.python.org/jython/rev/d06e29d100c0
>
> It would depend on whether your app had an exposed endpoint that accepted
> Python objects. All the usual caveats about eg web form data hygiene apply.
>
> Without knowing your exact organizational or technical constraint, I would
> say that security bugs can be excellent sticks for pushing through needed,
> but delayed, upgrades to current versions of infrastructure and libraries,
> like upgrading to Jython 2.7.1. Priorities can suddenly realign.
>
> Cheers
> Adam
>
> 在 2019年6月21日，下午8:57，Samuel Schober <sam...@we...> 写道：
>
>
> Hello,
>
>
>
> I am using the jython package for an project and have a question about an
> issue you had.
>
>
>
> The used version is 2.5.3 and unfortunally it can not be updated to 2.7.1.
> Now I found the following issue:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
>
>
>
> It notices that jython allows attackers to execute arbitrary code and I
> wanted to ask what kind of code could be executed?
>
> Is it only python code which could be executed or is it possible to
> execute any kind of binary code?
>
> And is it possible to have influence on the server outside of the
> application or does it just affect my application?
>
>
>
> I hope you can help me with that question.
>
>
>
> Best regards,
>
> Samuel Schober
>
>
>
> _______________________________________________
> Jython-users mailing list
> Jyt...@li...
> https://lists.sourceforge.net/lists/listinfo/jython-users
>
> _______________________________________________
> Jython-users mailing list
> Jyt...@li...
> https://lists.sourceforge.net/lists/listinfo/jython-users
>