Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security scan reported problem with com.google.common.io.FileBackedOutputStream #2575

Closed
venusjain10 opened this issue Sep 26, 2016 · 17 comments
Assignees
Labels

Comments

@venusjain10
Copy link

We are using google commons APIs in our project and security scan on our code has reported following problem. Could you please let me know if this is of any concern or it can be fixed in new version of this API.

Problem: Creating and using insecure temporary files can leave application and system data vulnerable to attack. In particular,file names created by the tmpnam family of functions can be easily guessed by an attacker. If an attacker can predictthe filename and create a malicious collision, he may be able to manipulate the behavior of the application.

Recommendations (Generated by tool)
Ensure that unpredictable names are used for temporary files and that files are created in a secure directory with appropriate permissions. Using mkstemp() is a reasonably safe way to create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user, combined with a series of randomly generated characters. Note that mkstemp() is safe if only the descriptor is used and the returned filename is not used in a subsequent function call with extra privileges. Using mkstemp() does not completely eliminate race conditions but does provide better protection than other methods

Class:
com.google.common.io.FileBackedOutputStream

@lowasser
Copy link
Contributor

This seems like it could at least conceivably be a problem if, and only if, you used FileBackedOutputStream. Do you?

@abhisheksharma43
Copy link

I have not used the class FileBackedOutputStream directly. However I am not sure if the classes that we have used from the API internally use FileBackedOutputStream.

@cpovirk cpovirk added P2 package=io type=defect Bug, not working as expected labels Jul 25, 2019
@cpovirk cpovirk assigned cpovirk and unassigned cgdecker May 17, 2023
@cpovirk cpovirk added P2 and removed P3 labels May 17, 2023
copybara-service bot pushed a commit that referenced this issue May 25, 2023
…r fail if that's not possible.

(Also, check that the provided `fileThreshold` is non-negative.)

- Fixes #2575
- Fixes #4011

RELNOTES=Reimplemented `Files.createTempDir` and `FileBackedOutputStream` to further address [CVE-2020-8908](#4011) and [Guava issue #2575](#2575) (CVE forthcoming).
PiperOrigin-RevId: 526128408
@cpovirk
Copy link
Member

cpovirk commented May 25, 2023

I have a request in for a CVE for this, which is fundamentally the same as #4011. The just-merged fix will be part of the next release, hopefully to be published tomorrow.

@cpovirk
Copy link
Member

cpovirk commented May 30, 2023

(We have the number CVE-2023-2976 reserved, but it's not posted yet.)

copybara-service bot pushed a commit that referenced this issue May 31, 2023
…rk under Windows anymore (if ever they did).

Relates to:
- #4011
- #2575
- #2686

Also, fix some Javadoc.

RELNOTES=n/a
PiperOrigin-RevId: 536467940
copybara-service bot pushed a commit that referenced this issue May 31, 2023
…rk under Windows anymore (if ever they did).

Relates to:
- #4011
- #2575
- #2686

Also, fix some Javadoc.

RELNOTES=n/a
PiperOrigin-RevId: 536752422
@Horcrux7
Copy link

Horcrux7 commented Jun 2, 2023

The CVE-2023-2976 match also to the version 32.0.0. Is it fixed and the CVE version match is wrong or will it fix in the next version?

@pwagland
Copy link

pwagland commented Jun 2, 2023

SonaType also flags this CVE as being present in 32.0.0, despite the release notes saying the release fixes CVE-2023-2976.

Basically what do we need to do:

  1. Wait for upstream to fix their data, or
  2. Suppress this CVE, since we don't use these classes anyway, or
  3. Wait for a new fix, aka 32.0.1?

Trying not to just say "me too", I hope this is additional useful information.

@malfoj89
Copy link

malfoj89 commented Jun 2, 2023

yesteday it was okay - today it matches 32.0.0 any comment on that?

@cpovirk
Copy link
Member

cpovirk commented Jun 2, 2023

Thanks for the reports. I'd welcome any help in figuring this out on #6532.

@feilimb
Copy link

feilimb commented Jul 3, 2023

Can I ask if Windows 10 users are affected by this vulnerability, I am not entirely clear from reading of this issue whether this is related to Unix / Android OS only, or whether Windows users are also affected.

@cpovirk
Copy link
Member

cpovirk commented Jul 5, 2023

First, I should emphasize that almost no app uses FileBackedOutputStream. And if an app doesn't use it, then it's not affected.

If an app does use it, then my understanding is that the app is still safe under Windows because Windows gives each user a private temporary directory:

So, as best I understand, the problem is restricted to the cases laid out in CVE-2023-2976:

  • Linux systems whose temporary directory might be accessible to people you don't want to see your FileBackedOutputStream data. We made this case secure in new Guava versions.
  • Android Ice Cream Sandwich. That version is so old that probably no one is it, so we broke FileBackedOutputStream entirely in new Guava versions.

@feilimb
Copy link

feilimb commented Jul 6, 2023

@cpovirk Many thanks for the clarification Chris, that makes sense now and it is good to know that Windows is not affected.

wakaleo added a commit to serenity-bdd/serenity-core that referenced this issue Jul 15, 2023
julianladisch added a commit to julianladisch/vertx-dependencies that referenced this issue Sep 24, 2023
This fixes insecure permissions of files created in the temporary
directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976

Version 32 is binary compatible with version 30 because only the
GWT jar has breaking changes:
google/guava#2575 (comment)

I run CI for these repositories and found no regressions:

* vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333
* vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128
* vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml

The failures in vertx-zookeeper are not regressions because they
exist with 30.1.1-jre.

I found no other Vert.x repository that uses Guava and hasn't
been removed for Vert.x 5.

Obsoletes vert-x3#118
vietj pushed a commit to vert-x3/vertx-dependencies that referenced this issue Oct 6, 2023
This fixes insecure permissions of files created in the temporary
directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976

Version 32 is binary compatible with version 30 because only the
GWT jar has breaking changes:
google/guava#2575 (comment)

I run CI for these repositories and found no regressions:

* vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333
* vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128
* vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml

The failures in vertx-zookeeper are not regressions because they
exist with 30.1.1-jre.

I found no other Vert.x repository that uses Guava and hasn't
been removed for Vert.x 5.

Obsoletes #118
vietj pushed a commit to vert-x3/vertx-dependencies that referenced this issue Oct 6, 2023
This fixes insecure permissions of files created in the temporary
directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976

Version 32 is binary compatible with version 30 because only the
GWT jar has breaking changes:
google/guava#2575 (comment)

I run CI for these repositories and found no regressions:

* vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333
* vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128
* vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml

The failures in vertx-zookeeper are not regressions because they
exist with 30.1.1-jre.

I found no other Vert.x repository that uses Guava and hasn't
been removed for Vert.x 5.

Obsoletes #118
vietj pushed a commit to vert-x3/vertx-dependencies that referenced this issue Oct 6, 2023
This fixes insecure permissions of files created in the temporary
directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976

Version 32 is binary compatible with version 30 because only the
GWT jar has breaking changes:
google/guava#2575 (comment)

I run CI for these repositories and found no regressions:

* vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333
* vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128
* vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml

The failures in vertx-zookeeper are not regressions because they
exist with 30.1.1-jre.

I found no other Vert.x repository that uses Guava and hasn't
been removed for Vert.x 5.

Obsoletes #118
vietj pushed a commit to vert-x3/vertx-dependencies that referenced this issue Oct 6, 2023
This fixes insecure permissions of files created in the temporary
directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976

Version 32 is binary compatible with version 30 because only the
GWT jar has breaking changes:
google/guava#2575 (comment)

I run CI for these repositories and found no regressions:

* vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333
* vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128
* vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml

The failures in vertx-zookeeper are not regressions because they
exist with 30.1.1-jre.

I found no other Vert.x repository that uses Guava and hasn't
been removed for Vert.x 5.

Obsoletes #118
vietj pushed a commit to vert-x3/vertx-dependencies that referenced this issue Oct 6, 2023
This fixes insecure permissions of files created in the temporary
directory: https://nvd.nist.gov/vuln/detail/CVE-2023-2976

Version 32 is binary compatible with version 30 because only the
GWT jar has breaking changes:
google/guava#2575 (comment)

I run CI for these repositories and found no regressions:

* vertx-config: https://github.com/julianladisch/vertx-config/actions/runs/6289869333
* vertx-grpc: https://github.com/julianladisch/vertx-grpc/actions/runs/6289478128
* vertx-zookeeper: https://github.com/julianladisch/vertx-zookeeper/actions/workflows/ci-5.x.yml

The failures in vertx-zookeeper are not regressions because they
exist with 30.1.1-jre.

I found no other Vert.x repository that uses Guava and hasn't
been removed for Vert.x 5.

Obsoletes #118
Grimoren added a commit to Grimoren/hadoop-thirdparty that referenced this issue Oct 17, 2023
Published Vulnerabilities
CVE-2023-2976 

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

CWE-552 Files or Directories Accessible to External Parties

CVSSv3:
Base Score: HIGH (7.1)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References:
MISC - google/guava#2575
MISC - https://security.netapp.com/advisory/ntap-20230818-0008/
OSSINDEX - [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2976
OSSIndex - google/guava#2575
OSSIndex - https://github.com/google/guava/releases/tag/v32.0.0
Vulnerable Software & Versions:

cpe:2.3:a:google:guava:*:*:*:*:*:*:*:* versions up to (excluding) 32.0.0
CVE-2020-8908  suppress

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
Base Score: LOW (2.1)
Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
Base Score: LOW (3.3)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:
CONFIRM - google/guava@fec0dbc
CONFIRM - google/guava#4011
CONFIRM - https://security.netapp.com/advisory/ntap-20220210-0003/
MISC - https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E
MISC - https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E
MISC - https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E
MISC - https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E
MISC - https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E
MISC - https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E
MISC - https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E
MISC - https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E
MISC - https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E
MISC - https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E
MISC - https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E
MISC - https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E
MISC - https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E
MISC - https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E
MISC - https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E
MISC - https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E
MISC - https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E
MISC - https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E
MISC - https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E
MISC - https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E
MISC - https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E
MISC - https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E
MISC - https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E
MISC - https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E
MISC - https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E
MISC - https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E
MISC - https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
MISC - https://www.oracle.com/security-alerts/cpuApr2021.html
MISC - https://www.oracle.com/security-alerts/cpuapr2022.html
MISC - https://www.oracle.com/security-alerts/cpujan2022.html
MISC - https://www.oracle.com/security-alerts/cpuoct2021.html
N/A - N/A
OSSINDEX - [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
OSSIndex - google/guava#4011
Vulnerable Software & Versions: (show all)

cpe:2.3:a:google:guava:*:*:*:*:*:*:*:* versions up to (excluding) 32.0.0
...
kunner added a commit to rchemist/rcm-framework-release that referenced this issue Apr 3, 2024
kunner added a commit to rchemist/rcm-framework-release that referenced this issue Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet