-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security scan reported problem with com.google.common.io.FileBackedOutputStream #2575
Comments
This seems like it could at least conceivably be a problem if, and only if, you used FileBackedOutputStream. Do you? |
I have not used the class FileBackedOutputStream directly. However I am not sure if the classes that we have used from the API internally use FileBackedOutputStream. |
…r fail if that's not possible. (Also, check that the provided `fileThreshold` is non-negative.) - Fixes #2575 - Fixes #4011 RELNOTES=Reimplemented `Files.createTempDir` and `FileBackedOutputStream` to further address [CVE-2020-8908](#4011) and [Guava issue #2575](#2575) (CVE forthcoming). PiperOrigin-RevId: 526128408
I have a request in for a CVE for this, which is fundamentally the same as #4011. The just-merged fix will be part of the next release, hopefully to be published tomorrow. |
(We have the number CVE-2023-2976 reserved, but it's not posted yet.) |
The CVE-2023-2976 match also to the version 32.0.0. Is it fixed and the CVE version match is wrong or will it fix in the next version? |
SonaType also flags this CVE as being present in 32.0.0, despite the release notes saying the release fixes CVE-2023-2976. Basically what do we need to do:
Trying not to just say "me too", I hope this is additional useful information. |
yesteday it was okay - today it matches 32.0.0 any comment on that? |
Thanks for the reports. I'd welcome any help in figuring this out on #6532. |
Can I ask if Windows 10 users are affected by this vulnerability, I am not entirely clear from reading of this issue whether this is related to Unix / Android OS only, or whether Windows users are also affected. |
First, I should emphasize that almost no app uses If an app does use it, then my understanding is that the app is still safe under Windows because Windows gives each user a private temporary directory:
So, as best I understand, the problem is restricted to the cases laid out in CVE-2023-2976:
|
@cpovirk Many thanks for the clarification Chris, that makes sense now and it is good to know that Windows is not affected. |
This fixes insecure permissions of files created in the temporary directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976 Version 32 is binary compatible with version 30 because only the GWT jar has breaking changes: google/guava#2575 (comment) I run CI for these repositories and found no regressions: * vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333 * vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128 * vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml The failures in vertx-zookeeper are not regressions because they exist with 30.1.1-jre. I found no other Vert.x repository that uses Guava and hasn't been removed for Vert.x 5. Obsoletes vert-x3#118
This fixes insecure permissions of files created in the temporary directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976 Version 32 is binary compatible with version 30 because only the GWT jar has breaking changes: google/guava#2575 (comment) I run CI for these repositories and found no regressions: * vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333 * vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128 * vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml The failures in vertx-zookeeper are not regressions because they exist with 30.1.1-jre. I found no other Vert.x repository that uses Guava and hasn't been removed for Vert.x 5. Obsoletes #118
This fixes insecure permissions of files created in the temporary directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976 Version 32 is binary compatible with version 30 because only the GWT jar has breaking changes: google/guava#2575 (comment) I run CI for these repositories and found no regressions: * vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333 * vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128 * vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml The failures in vertx-zookeeper are not regressions because they exist with 30.1.1-jre. I found no other Vert.x repository that uses Guava and hasn't been removed for Vert.x 5. Obsoletes #118
This fixes insecure permissions of files created in the temporary directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976 Version 32 is binary compatible with version 30 because only the GWT jar has breaking changes: google/guava#2575 (comment) I run CI for these repositories and found no regressions: * vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333 * vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128 * vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml The failures in vertx-zookeeper are not regressions because they exist with 30.1.1-jre. I found no other Vert.x repository that uses Guava and hasn't been removed for Vert.x 5. Obsoletes #118
This fixes insecure permissions of files created in the temporary directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976 Version 32 is binary compatible with version 30 because only the GWT jar has breaking changes: google/guava#2575 (comment) I run CI for these repositories and found no regressions: * vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333 * vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128 * vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml The failures in vertx-zookeeper are not regressions because they exist with 30.1.1-jre. I found no other Vert.x repository that uses Guava and hasn't been removed for Vert.x 5. Obsoletes #118
This fixes insecure permissions of files created in the temporary directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976 Version 32 is binary compatible with version 30 because only the GWT jar has breaking changes: google/guava#2575 (comment) I run CI for these repositories and found no regressions: * vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333 * vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128 * vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml The failures in vertx-zookeeper are not regressions because they exist with 30.1.1-jre. I found no other Vert.x repository that uses Guava and hasn't been removed for Vert.x 5. Obsoletes #118
Published Vulnerabilities CVE-2023-2976 Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. CWE-552 Files or Directories Accessible to External Parties CVSSv3: Base Score: HIGH (7.1) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N References: MISC - google/guava#2575 MISC - https://security.netapp.com/advisory/ntap-20230818-0008/ OSSINDEX - [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2976 OSSIndex - google/guava#2575 OSSIndex - https://github.com/google/guava/releases/tag/v32.0.0 Vulnerable Software & Versions: cpe:2.3:a:google:guava:*:*:*:*:*:*:*:* versions up to (excluding) 32.0.0 CVE-2020-8908 suppress A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. CWE-732 Incorrect Permission Assignment for Critical Resource CVSSv2: Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N CVSSv3: Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References: CONFIRM - google/guava@fec0dbc CONFIRM - google/guava#4011 CONFIRM - https://security.netapp.com/advisory/ntap-20220210-0003/ MISC - https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E MISC - https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E MISC - https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E MISC - https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E MISC - https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E MISC - https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E MISC - https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E MISC - https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E MISC - https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E MISC - https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E MISC - https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E MISC - https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E MISC - https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E MISC - https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E MISC - https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E MISC - https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E MISC - https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E MISC - https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E MISC - https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E MISC - https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E MISC - https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E MISC - https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E MISC - https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E MISC - https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E MISC - https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E MISC - https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E MISC - https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415 MISC - https://www.oracle.com/security-alerts/cpuApr2021.html MISC - https://www.oracle.com/security-alerts/cpuapr2022.html MISC - https://www.oracle.com/security-alerts/cpujan2022.html MISC - https://www.oracle.com/security-alerts/cpuoct2021.html N/A - N/A OSSINDEX - [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions OSSIndex - google/guava#4011 Vulnerable Software & Versions: (show all) cpe:2.3:a:google:guava:*:*:*:*:*:*:*:* versions up to (excluding) 32.0.0 ...
We are using google commons APIs in our project and security scan on our code has reported following problem. Could you please let me know if this is of any concern or it can be fixed in new version of this API.
Problem: Creating and using insecure temporary files can leave application and system data vulnerable to attack. In particular,file names created by the tmpnam family of functions can be easily guessed by an attacker. If an attacker can predictthe filename and create a malicious collision, he may be able to manipulate the behavior of the application.
Recommendations (Generated by tool)
Ensure that unpredictable names are used for temporary files and that files are created in a secure directory with appropriate permissions. Using mkstemp() is a reasonably safe way to create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user, combined with a series of randomly generated characters. Note that mkstemp() is safe if only the descriptor is used and the returned filename is not used in a subsequent function call with extra privileges. Using mkstemp() does not completely eliminate race conditions but does provide better protection than other methods
Class:
com.google.common.io.FileBackedOutputStream
The text was updated successfully, but these errors were encountered: