High-severity vulnerability in self-validation feature enabled injection of arbitrary Java EL expressions

Dropwizard RCE security flaw now fully patched following partial fix

Users of Dropwizard, the Java framework for developing RESTful web services, have been urged to update to the latest version following the discovery of a remote code execution (RCE) vulnerability.

The high-impact flaw (CVE-2020-11002) relates to server-side template injection (SSTI) in the SelfValidating feature of dropwizard-validation that enables injection of arbitrary Java EL expressions, according to a GitHub advisory published on April 10.

The release of new Dropwizard versions follows the previous issue of patches that only partially fixed the underlying flaw.

Counting Beans

The Dropwizard bug was discovered by GitHub Security Lab’s Alvaro Muñoz during his research into Java Bean validation that initially found similar issues in Sonatype Nexus repository manager.

“When a [Dropwizard] user submits a POST/PUT request, its JSON contents will be unmarshalled into a Java Bean and, if self-validation is enabled, the method annotated with @SelfValidation on that bean will be invoked,” Muñoz told The Daily Swig.

“If this validation method determines that the Bean properties are not valid, it will emit an error message back to the user,” such as checking for non-null values or a property’s conformance to a specific format.

The vulnerability emerges when validated, normally untrusted properties “are reflected in the error message (eg: The value entered (FOO) is not a valid email address), since any Expression Language expressions on it will be evaluated during the error message interpolation,” explained Muñoz.

Patch timeline

The first, partially effective Dropwizard versions – 1.3.19 and 2.0.2 – were released on February 24.

They “did a great job in sanitizing the data passed to the vulnerable API,” said Muñoz.

“However, separate bugs in Hibernate Validator and Jakarta EL allowed syntactically incorrect EL expressions to be processed as valid and the sanitization procedure did not account for them.”

READ MORE Vulnerabilities in web and app frameworks fall, but weaponization rate jumps – study

Anyone using a self-validating bean via the SelfValidating feature are instead advised to update to subsequently released versions 1.3.21 or 2.0.3, which have disabled the evaluation of EL expressions by default.

Use of interpolation in violation messages added to ViolationCollector must now be explicitly allowed by setting SelfValidating#escapeExpressions() to false.

The advisory also recommends using addViolation methods supporting message parameters instead of the EL expressions introduced in the latest versions.

No evidence of exploitation

Download statistics from Maven Central “don’t show a particular strong uptake (yet)” of the latest versions, the Dropwizard project maintainer told The Daily Swig.

Users unable to immediately upgrade can securely make use of the SelfValidating feature by properly sanitizing messages before adding them to the ViolationCollector in the SelfValidation-annotated method.

The project maintainer said they had seen no evidence of the flaw being exploited in the wild and are unsure on the number of affected users “since it’s an opt-in feature which isn’t exposed without the developers explicitly building it into their validation pipeline”.

Said Muñoz: “This is not a vulnerability in the framework per-se, but an RCE vulnerable API being exposed to developers without proper information.

“Developers need to exercise a specific API which significantly reduces the number of vulnerable applications.”

Dropwizard has published a clear security policy, complete with contact details for disclosing vulnerabilities, following the bug’s discovery.

YOU MIGHT ALSO LIKE Git security: Newline injection bug tricked version control system into leaking usernames and password