Ubuntu
maven package

Patch for CVE-2021-26291 is ineffective, uses unsupported 'blocked' tag

Bug #1999254 reported by Clement Cherlin
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maven (Ubuntu)
Fix Released
Undecided
Nishit Majithia

Bug Description

A patch was applied in version 3.6.3-5ubuntu1 to address CVE-2021-26291, relating to Maven using unencrypted HTTP to connect to repositories.

This patch added a "maven-default-http-blocker" <mirror> entry to /etc/maven/settings.xml with a "<blocked>true</blocked>" element, with the desired effect of preventing Maven from connecting to repositories via unencrypted HTTP.

However, the <blocked> element in settings.xml is not supported by Maven versions prior to 3.8.1, according to https://issues.apache.org/jira/browse/MNG-7117

The patch does not effectively address the CVE, because Maven prior to 3.8.1 does not recognize that the mirror should be blocked. I have confirmed that Maven 3.6.3-5ubuntu1 will connect to repositories via unencrypted HTTP.

Additionally, whenever Maven is invoked, it emits a confusing but harmless warning "Unrecognised tag: 'blocked'" while parsing the system settings.xml.

See original description

CVE References

Clement Cherlin (mooninaut)
description: updated
description: updated
Clement Cherlin (mooninaut)
information type: Public → Public Security
description: updated
description: updated
description: updated
Clement Cherlin (mooninaut)
description: updated
summary: - Patch for CVE-2021-26291 uses unsupported 'blocked' tag
+ Patch for CVE-2021-26291 is ineffective, uses unsupported 'blocked' tag
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

@Nishit can you take a look at this issue?

Changed in maven (Ubuntu):
assignee: nobody → Nishit Majithia (0xnishit)
Revision history for this message
Nishit Majithia (0xnishit) wrote :

Hey @mooninaut, thank you for reporting this issue
I have added a few extra fix commits to patch this issue, could you please try in kinetic and let me know the updated packages from staging ppa here: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=maven&field.status_filter=published&field.series_filter=

Thanks

Revision history for this message
Clement Cherlin (mooninaut) wrote (last edit ):

@0xnishit Thanks for the fix! I installed libmaven3-core-java_3.6.3-5ubuntu1.1_all.deb and maven_3.6.3-5ubuntu1.1_all.deb and did some testing. The fix appears to be working as expected. Maven no longer complains about the "blocked" tag, and does not connect via unencrypted HTTP.

If I have "http" repos in ~/.m2/settings.xml, Maven correctly refuses to run with this error (details replaced with [placeholder]):

$ mvn -U validate
Non-resolvable parent POM for [groupid]:[artifactid]:[version]: Could not transfer artifact [parent-groupid]:[parent-artifactid]:pom:[parent-version] from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [central (http://[repository-host]/[release-repository-path], default, releases), snapshots (http://[repository-host]/[snapshot-repository-path], default, releases+snapshots)] and 'parent.relativePath' points at wrong local POM @ [groupid]:[artifactid]:[version], /[path-to-project]/pom.xml, line 15, column 11

With "https" repos, Maven correctly runs without error.

The same happens for plugins, if I have a "http" plugin repository URL, and attempt to run a plugin with explicit Maven coordinates, I get a similar error:

$ mvn org.apache.maven.plugins:maven-help-plugin:3.3.0:help
[INFO] Scanning for projects...
Downloading from maven-default-http-blocker: http://0.0.0.0/org/apache/maven/plugins/maven-help-plugin/3.3.0/maven-help-plugin-3.3.0.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.441 s
[INFO] Finished at: 2023-01-11T09:31:16-06:00
[INFO] ------------------------------------------------------------------------
[ERROR] Plugin org.apache.maven.plugins:maven-help-plugin:3.3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-help-plugin:jar:3.3.0: Could not transfer artifact org.apache.maven.plugins:maven-help-plugin:pom:3.3.0 from/to maven-default-http-blocker (http://0.0.0.0/): Transfer failed for http://0.0.0.0/org/apache/maven/plugins/maven-help-plugin/3.3.0/maven-help-plugin-3.3.0.pom: Connect to 0.0.0.0:80 [/0.0.0.0] failed: Connection refused (Connection refused) -> [Help 1]

With "https" plugin repositories, the same command completes successfully.

I will continue to use the patched version and report back later this week.

Cheers,
Clement

Revision history for this message
Nishit Majithia (0xnishit) wrote :

Thanks @mooninaut,
Sure, let me know if there is any issue, I am planning to do this update next week

Cheers

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maven - 3.6.3-5ubuntu1.1

---------------
maven (3.6.3-5ubuntu1.1) kinetic-security; urgency=medium

  * SECURITY REGRESSION: Add previously incomplete CVE fix with a
    secondary patch (LP: #1999254)
    - debian/patches/CVE-2021-26291-*.patch: add extra missing commit to
    previous CVE-2021-26291 fix.
    - CVE-2021-26291

 -- Nishit Majithia <email address hidden> Fri, 06 Jan 2023 09:58:52 +0530

Changed in maven (Ubuntu):
status: New → Fix Released
Revision history for this message
Clement Cherlin (mooninaut) wrote :

Sorry I didn't get back to you Friday. I have not encountered any issues with the patch.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.