Details
-
Task
-
Status: Closed
-
Medium
-
Resolution: Done
-
None
-
None
-
None
Description
Per security subcommitte, request JIRA's for false positives.
This dependency brings in the Jython (Python) interpreter for executing scripts written in Python under the control of Apex.
There are two vulnerabilities, both concerning adding extra modules to the Python libraries on a host running Python scripts under Jython.
- The setup.py and build_py.py files allow extra python packages to be installed on the host during the startup of Jython. This mechanism uses the setuptools mechanism to install those packages. That mechanism does not enforce path traversal restrictions, allowing malicious packages to access protected areas on the host.
- Jython uses packages installed with the python pip utility. Pip is vulnerable to Path Traversal attacks, malicious packages installed with pip can access protected areas on the host
The solution is to warn developers not to install malicious extra Python packages.
Attachments
| # | Subject | Branch | Project | Status | CR | V |
|---|---|---|---|---|---|---|
| 95693,2 | Disable Jython Excutor for security | master | policy/apex-pdp | Status: MERGED | +2 | +1 |
| 95910,1 | Disable Jython Excutor for security | elalto | policy/apex-pdp | Status: MERGED | +2 | +1 |