High-severity vulnerability in self-validation feature enabled injection of arbitrary Java EL expressions
The high-impact flaw (CVE-2020-11002) relates to server-side template injection (SSTI) in the SelfValidating feature of dropwizard-validation that enables injection of arbitrary Java EL expressions, according to a GitHub advisory published on April 10.
The release of new Dropwizard versions follows the previous issue of patches that only partially fixed the underlying flaw.
The Dropwizard bug was discovered by GitHub Security Lab’s Alvaro Muñoz during his research into Java Bean validation that initially found similar issues in Sonatype Nexus repository manager.
“When a [Dropwizard] user submits a POST/PUT request, its JSON contents will be unmarshalled into a Java Bean and, if self-validation is enabled, the method annotated with @SelfValidation on that bean will be invoked,” Muñoz told The Daily Swig.
“If this validation method determines that the Bean properties are not valid, it will emit an error message back to the user,” such as checking for non-null values or a property’s conformance to a specific format.
The vulnerability emerges when validated, normally untrusted properties “are reflected in the error message (eg: The value entered (FOO) is not a valid email address), since any Expression Language expressions on it will be evaluated during the error message interpolation,” explained Muñoz.
The first, partially effective Dropwizard versions – 1.3.19 and 2.0.2 – were released on February 24.
They “did a great job in sanitizing the data passed to the vulnerable API,” said Muñoz.
“However, separate bugs in Hibernate Validator and Jakarta EL allowed syntactically incorrect EL expressions to be processed as valid and the sanitization procedure did not account for them.”
Anyone using a self-validating bean via the SelfValidating feature are instead advised to update to subsequently released versions 1.3.21 or 2.0.3, which have disabled the evaluation of EL expressions by default.
The advisory also recommends using addViolation methods supporting message parameters instead of the EL expressions introduced in the latest versions.
No evidence of exploitation
Download statistics from Maven Central “don’t show a particular strong uptake (yet)” of the latest versions, the Dropwizard project maintainer told The Daily Swig.
Users unable to immediately upgrade can securely make use of the SelfValidating feature by properly sanitizing messages before adding them to the ViolationCollector in the SelfValidation-annotated method.
The project maintainer said they had seen no evidence of the flaw being exploited in the wild and are unsure on the number of affected users “since it’s an opt-in feature which isn’t exposed without the developers explicitly building it into their validation pipeline”.
Said Muñoz: “This is not a vulnerability in the framework per-se, but an RCE vulnerable API being exposed to developers without proper information.
“Developers need to exercise a specific API which significantly reduces the number of vulnerable applications.”
Dropwizard has published a clear security policy, complete with contact details for disclosing vulnerabilities, following the bug’s discovery.