[jdom-interest] Checking list health

Rolf Lear jdom at tuis.net
Thu Jan 22 10:33:50 PST 2015 

Here's more detail on the IBM security audit:

In late 2013 IBM contacted the mailing list here: 
http://markmail.org/message/ufvpxiblhcgdlpoc

We responded to them, and got the full report of the vulnerabilities 
they had identified in JDOM.

This scan was done as part of IBM's standard processes when using open 
source software, and part of their commitment to the open source 
community.

JDOM 2.0.5
==========

They identified 2 basic issues in JDOM 2.0.5 appearing in a number of 
different places:

Vulnerability	CWE Link	Severity	API Call	Line Number	Trace (right 
click->Show/Hide Comments to view)	File Containing Vulnerability
PathTraversal	Weakness ID: 73	HIGH	java.io.File.<init>	180	Trace in 
comment	C:\jdom\2.0.5\Java\org\jdom2\contrib\beans\JDOMBean.java
PathTraversal	Weakness ID: 73	HIGH	java.io.File.<init>	236	Trace in 
comment	C:\jdom\2.0.5\Java\org\jdom2\contrib\beans\JDOMBean.java
PrivilegeEscalation	Weakness ID: 
266	MEDIUM	java.lang.reflect.Method.invoke	1357	Trace in 
comment	C:\jdom\2.0.5\Java\org\jdom2\test\cases\output\AbstractTestOutputter.java
PrivilegeEscalation	Weakness ID: 
266	MEDIUM	java.lang.reflect.Method.invoke	1357	Trace in 
comment	C:\jdom\2.0.5\Java\org\jdom2\test\cases\output\AbstractTestOutputter.java
PrivilegeEscalation	Weakness ID: 
266	MEDIUM	java.lang.reflect.Method.invoke	1357	Trace in 
comment	C:\jdom\2.0.5\Java\org\jdom2\test\cases\output\AbstractTestOutputter.java
PrivilegeEscalation	Weakness ID: 
266	MEDIUM	java.lang.reflect.Method.invoke	1357	Trace in 
comment	C:\jdom\2.0.5\Java\org\jdom2\test\cases\output\AbstractTestOutputter.java
(... and 38 additional places where AbstractTestOutputter had the same 
reflection problem).

I consider these issues to be 'mostly' benign. The "HIGH severity" 
JDOMBean file problem is in the Contrib area of JDOM, and not in the 
core. The actual vulnerability is because it has a static File instance 
which is vulnerable in places where the JVM is compromized and someone 
'hacks' the static location, leading to the loading of unexpected 
content.

I resolved the issue in this commit: 
https://github.com/hunterhacker/jdom/commit/c0f7b99d953730413da41ccc8028cd7120e45ec2 
(which was duplicated in the master branch too). The fix I employed was 
simply to remove the instance field, and be done with it. It is 
unsupported code, and for example purposes only. This was a decision 
made for the 2.x release, that contrib was completely unsupported.

The remaining issues in 2.0.5 are related to a reflection hack I did in 
the JUnit test cases to help 'simplify' the harness. The fix I employed 
was to rename the methods that were otherwise called with reflection, 
and instead call the methods directly by name. You can see the fix here: 
https://github.com/hunterhacker/jdom/commit/7cb87783b7d023dcfa77f742fe29bfe6b8be220b

Again, this issue is minor - it is in the JUnit test cases, and has 
been resolved without impact at all.

Note that although these fixes are in the source code, there has not 
been a release of JDOM 2.x since then. These fixes will not impact any 
code that is shipped. The code is not in maven, nor in the binary 
distribution. It is in the support code only.

Older versions
==============

In addition to testing JDOM 2.0.5, they also tested 1.1.2 and 1.0. The 
1.0 version has the same issues as 1.1.2.

JDOM 1.1.2 has the following identified issues:

Potential privilidge escalation in JDOMException when reporting the 
parent exception: 
https://github.com/hunterhacker/jdom/blob/jdom-1.x/core/src/java/org/jdom/JDOMException.java#L353
Similarly here: 
https://github.com/hunterhacker/jdom/blob/jdom-1.x/core/src/java/org/jdom/JDOMException.java#L328

Note that the above code is not in JDOM 2.x at all, and relates to the 
history of Java where the cause of exceptions was not part of the Java 
API.

The final issues in JDOM 1.1.2 is related to the use of reflection to 
identify and early Java versions without JAXP:

java.lang.reflect.Method.invoke	104	C:\jdom\1.1.2\Java\src\java\org\jdom\adapters\CrimsonDOMAdapter.java
java.lang.reflect.Method.invoke	616	C:\jdom\1.1.2\Java\src\java\org\jdom\input\SAXBuilder.java
java.lang.reflect.Method.invoke	460	C:\jdom\1.1.2\Java\src\java\org\jdom\output\Format.java

The code links are:

https://github.com/hunterhacker/jdom/blob/jdom-1.x/core/src/java/org/jdom/adapters/CrimsonDOMAdapter.java#L104
https://github.com/hunterhacker/jdom/blob/jdom-1.x/core/src/java/org/jdom/input/SAXBuilder.java#L616
https://github.com/hunterhacker/jdom/blob/jdom-1.x/core/src/java/org/jdom/output/Format.java#L460

Note that the Format issue related to needing to compile 1.1.x on old 
versions of Java (1.2, and 1.3) which did not have the NIO Charset 
classes.

Rolf.


On 2015-01-22 11:48, Scott LaChance wrote:
> The IBM security audit sounds interesting. Can some elaborate on 
> that.
>
> Sent from my iPhone
>
>> On Jan 22, 2015, at 10:46 AM, Rolf Lear <jdom at tuis.net> wrote:
>>
>> I am overdue on a couple of things JDOM related.
>>
>> let's be clear, even though Cecil says: "And the code must be 
>> working perfectly :-)", given the volume of downloads, that is close 
>> to accurate. JDOM is currently very successful.
>>
>> Here's a hit list of things which I believe should be done:
>>
>> 1. Year-in-review update on some of the events that have happened:
>>  - Eclipse inclusion
>>  - IBM security audit
>>  - tutorial sites and FAQ translations
>>  - Java8 bugs
>>  - statistics of downloads and other activities from Maven, etc.
>> 2. Plan for Java 8 nice-to-haves
>>  - direct JDOM 2.1 for Java8 support of streams, other niceties
>> 3. XML 1.1 character validation
>> 4. XPath 2.0 (Saxon support?) - xalan has gone fairly quiet
>>
>> As for feedback, the JDOM interest list has been quiet, but 
>> StackOverflow activity has been slow-but-steady. People are using 
>> JDOM. 190 questions asked in 2014 for JDOM: 
>> http://stackoverflow.com/search?q=created%3A2014+[jdom]+or+[jdom-2]
>>
>> Unfortunately, a lot of the usage is still on 1.x versions, about 
>> 50% of questions on StackOverflow are for older versions.
>>
>> Jason can maybe provide statistics for the base server downloads, 
>> but maven-central has seen the following (lets see if these links 
>> work... - if they don't I will respond later):
>>
>> 
>> http://chart.apis.google.com/chart?cht=lc&chs=800x200&chco=326A9E&chxt=x,y&chtt=Downloads+Over+the+Last+12+Months+For+org.jdom&chxr=1,0,174133&chds=0,174133&chxs=1N*s*&chls=3&chm=o,0066FF,0,-1,10,0&chd=t:99538,103678,112177,111238,144999,135498,146573,138067,139843,135834,164626,174133&chxl=0:|Jan2014|Feb2014|Mar2014|Apr2014|May2014|Jun2014|Jul2014|Aug2014|Sep2014|Oct2014|Nov2014|Dec2014
>>
>> This download activity can be presented in the form of unique ID's 
>> too:
>>
>> 
>> http://chart.apis.google.com/chart?cht=lc&chs=800x200&chco=326A9E&chxt=x,y&chtt=Unique%20IPs+Over+the+Last+12+Months+For+org.jdom:jdom&chxr=1,0,65408&chds=0,65408&chxs=1N*s*&chls=3&chm=o,0066FF,0,-1,10,0&chd=t:34454,37307,41365,39342,43554,46225,50756,48704,27497,23741,57305,65408&chxl=0:|Jan2014|Feb2014|Mar2014|Apr2014|May2014|Jun2014|Jul2014|Aug2014|Sep2014|Oct2014|Nov2014|Dec2014
>>
>>
>>
>> Downloads broken down by versions
>>
>> JDOM 1.x:
>>
>> 
>> http://chart.apis.google.com/chart?cht=lc&chs=800x200&chco=326A9E&chxt=x,y&chtt=Downloads+Over+the+Last+12+Months+For+org.jdom:jdom&chxr=1,0,156557&chds=0,156557&chxs=1N*s*&chls=3&chm=o,0066FF,0,-1,10,0&chd=t:84755,89410,96793,94324,104023,108547,124381,124479,125471,120968,147666,156557&chxl=0:|Jan2014|Feb2014|Mar2014|Apr2014|May2014|Jun2014|Jul2014|Aug2014|Sep2014|Oct2014|Nov2014|Dec2014
>>
>> JDOM 2.x
>>
>> 
>> http://chart.apis.google.com/chart?cht=lc&chs=800x200&chco=326A9E&chxt=x,y&chtt=Downloads+Over+the+Last+12+Months+For+org.jdom:jdom2&chxr=1,0,34490&chds=0,34490&chxs=1N*s*&chls=3&chm=o,0066FF,0,-1,10,0&chd=t:12473,12092,12384,13980,34490,25304,20254,11196,11922,12315,14194,15143&chxl=0:|Jan2014|Feb2014|Mar2014|Apr2014|May2014|Jun2014|Jul2014|Aug2014|Sep2014|Oct2014|Nov2014|Dec2014
>>
>> With 2.0.5 specifically being:
>>
>> 
>> http://chart.apis.google.com/chart?cht=lc&chs=800x200&chco=326A9E&chxt=x,y&chtt=Downloads+Over+the+Last+12+Months+For+org.jdom:jdom2:2.0.5&chxr=1,0,32129&chds=0,32129&chxs=1N*s*&chls=3&chm=o,0066FF,0,-1,10,0&chd=t:10330,9968,9832,11321,32129,22974,17695,8217,9039,9689,11355,12529&chxl=0:|Jan2014|Feb2014|Mar2014|Apr2014|May2014|Jun2014|Jul2014|Aug2014|Sep2014|Oct2014|Nov2014|Dec2014
>>
>> The bottom line is that form maven only, cumulatively, there have 
>> been about 200,000 downloads of JDOM 2.0.5
>>
>> Rolf
>>
>>> On 2015-01-22 01:19, Jason Hunter wrote:
>>> Just wondering if the list is alive.  :)
>>>
>>> -jh-
>>>
>>> _______________________________________________
>>> To control your jdom-interest membership:
>>> 
>>> http://www.jdom.org/mailman/options/jdom-interest/youraddr@yourhost.com
>>
>> _______________________________________________
>> To control your jdom-interest membership:
>> 
>> http://www.jdom.org/mailman/options/jdom-interest/youraddr@yourhost.com

More information about the jdom-interest mailing list