CVE-2024-25710

In a glance (16:14)

• The default installation of XC does not include the vulnerable plug-in in the default implementation (16:03 update)

---

Background

GX uses a so-called 'build pipeline, to build, test and deploy software in a structured and consistent manner. That process starts with taking the source code of the software and goes through several steps, such as compilation and testing. In this case, a problem was discovered during this process, which is carried out as part of the build pipeline. Included in this is a security check. This means that a security problem may have been identified. We call this a vulnerability.

Impact

The moment this vulnerability is exploited, the consequence is that the web server crashes. No data is leaked and there is no access to the application. However, a visitor (or administrator) will see error pages and thus the website will be inaccessible. A restart of the web server presumably (*) fixes the problem, until a malicious party attacks again.

(*) The exact impact is still under investigation by NIST (National Institute of Standards and Technology). This is an agency of the US government and they set standards, guidelines and recommendations for various aspects of technology, including cybersecurity.

Technical details

A problem has been discovered in the Apache Commons Compress library, which could potentially create an infinite loop on the system. This could be abused to launch a denial of service attack, preventing the server from processing other requests. This issue affects Apache Commons Compress versions 1.3 to 1.25.0. It is recommended to upgrade to version 1.26.0, which fixes this issue.

What is Apache Commons Compress?

Apache Commons Compress is a Java library that allows developers to compress, decompress and archive files. It makes it easier to work with different compression formats within Java applications, such as ZIP and TAR, without developers having to implement complex compression algorithms themselves.

-Timeline-

22 February 09:29 - first notification

GX Product Development reports that from our own automated security checks (build pipeline) reports CVE-2024-25710. It concerns a vulnerability in Apache Commons Compress, between version 1.3 -> 1.25.0. We are investigating the impact of the notification and whether it affects XperienCentral.

09:33

Start of this article, by Customer Services. Expect regular updates throughout this day.

09:44 - contradictory sources

There are two sources that contradict each other. Mitre.org says 1.3 to 1.25 (source), NIST says 1.21 to 1.26 (source). Mitre.org and NIST

• Mitre.org is a non-profit that tackles complex problems with technology. Among other things, they manage the CVE database for known software vulnerabilities.
• NIST (National Institute of Standards and Technology). is an agency of the US government and they set standards, guidelines and recommendations for various aspects of technology, including cybersecurity.

09:56

Technical details added to this page, background rewritten.

10:33

Currently, NIST is still conducting an analysis, so it is not yet clear what risks this CVE poses and how it could be exploited.

10:40 - vulnerable XC releases

The vulnerability is present from R25 to 10.42 and is located in XperienCentral's Connector API. This API uses Apache Commons Compress. Expect a patch for this soon.

10:48

GX's architects are checking which organisations are using the API where Apache Commons Compress is in use and whether it is vulnerable or not. The reproduction path of this issue is still unknown.

11:52 - location of the vulnerability

The vulnerability has so far only been found in the Connector API.

13:22

It seems that the library in question is not directly in XC, indicating that the message from our build pipline is probably a false-positive. However, we have determined that the library is present in the Connector API, for which a patch has since been developed -and tested- with the latest version of the API.

13:31 - limited risk

In the upcoming release of XC (R43), the Connector API has been patched. Although we hardly see any risk (*) in unpatched versions (because the vulnerability is not accessible from outside XC), we still take extra security measures. Therefore, we are providing future releases with a modified Connector API to maximally fix the vulnerability. If after going through this page you still need a patch, we understand. If so, please contact your architect, account manager, scrum team or Customer Services. Any of our people can point to the patch.

(*) In theory, there is a small chance of abuse, namely when a person -with sufficient rights- uploads a corrupted zip file into XC. However, this upload must take place on an installation where the vulnerability is already present (condition 1) AND where a malicious user has access to the installation (condition 2). If someone already has all these rights, it is fair to wonder if uploading a ZIP file is the most logical step for malicious purposes. Once someone has these rights, there are more serious actions to take than uploading a ZIP file.

16:03 - conclusion

The default installation of XC does not include the vulnerable plug-in in the default implementation. This applies to R25 to R41. Although plug-ins are used during the build process of XC that may contain a vulnerable version, they are not placed on a server and are therefore not of concern. However, the Connector API does contain a vulnerable version that is actually integrated within an XC installation. A patch is now available for that.

The vulnerable code has limited access and is also located behind the login of XperienCentral's editorial environment. At the moment, it is not yet clear exactly how the vulnerability can be exploited. What can already be stated with certainty is that access to XperienCentral is required, especially to the Import Content functionality.