-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2013-1768: Apache OpenJPA security vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: OpenJPA 1.0.0 to 1.0.4 OpenJPA 1.1.0 OpenJPA 1.3.0 OpenJPA 1.2.0 to 1.2.2 OpenJPA 2.0.0 to 2.0.1 OpenJPA 2.1.0 to 2.1.1 OpenJPA 2.2.0 to 2.2.1 Description: Deserialization of a maliciously crafted OpenJPA object can result in an executable file being written to the file system. An attacker needs to discover an unprotected server program to exploit the vulnerability. It then needs to exploit another unprotected server program to execute the file and gain access to the system. OpenJPA usage by itself does not introduce the vulnerability. Mitigation: Users of OpenJPA using a release based upon the JPA 1.0 specification level should upgrade to the OpenJPA 1.2.3 release. Users of OpenJPA using a release based upon the JPA 2.0 specification level should upgrade to the OpenJPA 2.2.2 release. Users needing to stay on their current release should get the latest code from svn for the corresponding branch level or apply a source patch and build a new binary package. Nightly snapshots of the latest source builds are also available for many branches. OpenJPA release branch levels and corresponding fix revisions: OpenJPA 1.0.x revision 1462558: http://svn.apache.org/viewvc?view=revision&revision=1462558 OpenJPA 1.1.x revision 1462512: http://svn.apache.org/viewvc?view=revision&revision=1462512 OpenJPA 1.2.x revision 1462488: http://svn.apache.org/viewvc?view=revision&revision=1462488 OpenJPA 1.3.x revision 1462328: http://svn.apache.org/viewvc?view=revision&revision=1462328 OpenJPA 2.0.x revision 1462318: http://svn.apache.org/viewvc?view=revision&revision=1462318 OpenJPA 2.1.x revision 1462268: http://svn.apache.org/viewvc?view=revision&revision=1462268 OpenJPA 2.2.1.x revision 1462225: http://svn.apache.org/viewvc?view=revision&revision=1462225 OpenJPA 2.2.x revision 1462076: http://svn.apache.org/viewvc?view=revision&revision=1462076 Example: An attacker creates a customized serialization of an OpenJPA object. The attacker exploits an unprotected server program to execute the object. The object includes logic that results in malicious trace being written to a file, such as a JSP. The file containing malicious commands is written to a potentially vulnerable area of the system. The attacker exploits a second unprotected server program to execute the file and gain access to the system. Credit: This issue was discovered by Pierre Ernst of IBM Corporation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3 bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5 Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z 3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ 1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1 tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV 7iGIxMiN7yJ14RZoDsKw =LVgy -----END PGP SIGNATURE-----