Bug 1188529 – VUL-0: CVE-2021-26291: maven: Block repositories using http by default

Bug 1188529 - (CVE-2021-26291) VUL-0: CVE-2021-26291: maven: Block repositories using http by default

(CVE-2021-26291)
Summary:	VUL-0: CVE-2021-26291: maven: Block repositories using http by default

Status:	RESOLVED WORKSFORME

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Fridrich Strba
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/282803/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-26291:7.4:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-07-20 16:30 UTC by Wolfgang Frisch
Modified:	2022-07-25 08:20 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2021-07-20 16:30:18 UTC

CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior.

References:

https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E
https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@%3Cusers.maven.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/04/23/5
https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@%3Cdev.jena.apache.org%3E
https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@%3Cdev.jena.apache.org%3E
https://bugzilla.redhat.com/show_bug.cgi?id=1955739
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26291
http://seclists.org/oss-sec/2021/q2/72
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291

Comment 1 Wolfgang Frisch 2021-07-20 16:36:56 UTC

SUSE:SLE-15-SP2:Update is affected. 

This is a borderline case, since the old behavior was publicly documented and customers of stable distros might be surprised by the changed behavior. I'd still apply the patches but I appreciate a second opinion.

Upstream commits: 
MNG-7117: https://github.com/apache/maven/commit/28b4ea92d38365d0f27a5bd044ac4927580147f8
MNG-7116: https://github.com/apache/maven/commit/3b21386c3f1ab85060f6c950fb2fb17123df8647
MNG-7118: https://github.com/apache/maven/commit/67125676eef313e592da6424a9be0c90c5e6bca5

Comment 2 Fridrich Strba 2022-04-08 05:23:47 UTC

We currently have maven 3.8.4 in Tumbleweed.

Comment 3 Fridrich Strba 2022-04-08 05:24:04 UTC