Vulnerability CVE-2020-11979 - CERT Civis.Net

Vulnerability Name:

CVE-2020-11979 (CCN-189164)

Assigned:

2020-09-30

Published:

2020-09-30

Updated:

2022-05-12

Summary:

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2020-11979

Source: CCN
Type: Apache Web site
Apache Ant

Source: XF
Type: UNKNOWN
apache-cve202011979-sec-bypass(189164)

Source: MISC
Type: Third Party Advisory
https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm

Source: MLIST
Type: Mailing List, Vendor Advisory
[creadur-dev] 20201006 [jira] [Updated] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[creadur-dev] 20201006 [jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979

Source: MLIST
Type: Mailing List, Vendor Advisory
[creadur-dev] 20201006 [jira] [Updated] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8

Source: MLIST
Type: Mailing List, Vendor Advisory
[creadur-dev] 20201006 [jira] [Assigned] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979

Source: MLIST
Type: Mailing List, Vendor Advisory
[creadur-dev] 20201006 [jira] [Resolved] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[creadur-dev] 20210419 [jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[creadur-dev] 20210621 [jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8

Source: MISC
Type: Mailing List, Vendor Advisory
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-92b1d001b3

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-3ce0f55bc5

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-2640aa4e19

Source: CCN
Type: oss-sec Mailing List, Wed, 30 Sep 2020 19:09:30 +0200
[CVE-2020-11979] Apache Ant insecure temporary file vulnerability

Source: GENTOO
Type: Third Party Advisory
GLSA-202011-18

Source: CCN
Type: IBM Security Bulletin 6381828 (Blockchain Platform for Cloud)
Gradle version in IBP javaenv and dind images depends on vulnerable Apache Ant

Source: CCN
Type: IBM Security Bulletin 6405892 (Spectrum Symphony)
Vulnerability in Apache Ant affects IBM Spectrum Symphony

Source: CCN
Type: IBM Security Bulletin 6408860 (QRadar SIEM)
Apache Ant as used by IBM QRadar SIEM is vulnerable to Insecure Temporary Files (CVE-2020-11979)

Source: CCN
Type: IBM Security Bulletin 6416391 (Spectrum Symphony)
Multiple vulnerability issues affect IBM Spectrum Symphony 7.3.1

Source: CCN
Type: IBM Security Bulletin 6416393 (Spectrum Conductor)
Multiple vulnerability issues affect IBM Spectrum Conductor 2.5.0

Source: CCN
Type: IBM Security Bulletin 6437563 (UrbanCode Deploy)
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them

Source: CCN
Type: IBM Security Bulletin 6453467 (Control Center)
Apache Ant Vulnerabilities Affect IBM Control Center (CVE-2020-1945, CVE-2020-11979)

Source: CCN
Type: IBM Security Bulletin 6967183 (Cloud Pak System Software Suite)
Multiple vulnerabilities in Open Source software used by Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6967553 (Cloud Pak for Data System)
Vulnerability in ant-1.8.1.jar affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0)

Source: CCN
Type: IBM Security Bulletin 6969771 (Log Analysis)
Multiple vulnerabilities affect Apache Ant shipped with IBM Operations Analytics - Log Analysis

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2021
Oracle Critical Patch Update Advisory - January 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:ant:1.10.8:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:gradle:gradle:*:*:*:*:*:*:*:* (Version < 6.8.0)

Configuration 3:

cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 16.2.0 and <= 16.2.11)

OR cpe:/a:oracle:primavera_unifier:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12)

OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_service_backbone:15.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:14.1.3.9:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:15.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:16.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_treasury_management:14.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (Version >= 8.0.6 and <= 8.0.9)

OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 17.12.0 and <= 17.12.9)

OR cpe:/a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*

OR cpe:/a:oracle:real-time_decision_server:3.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:real-time_decision_server:11.1.1.9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_category_management_planning_&_optimization:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_eftlink:19.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_eftlink:20.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:14.1.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:15.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_item_planning:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_macro_space_optimization:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_merchandise_financial_planning:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_merchandising_system:14.1.3.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_regular_price_optimization:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_replenishment_optimization:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_service_backbone:14.1.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_size_profile_optimization:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:storagetek_tape_analytics:2.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:* (Version < 11.2.2.8.27)

Configuration CCN 1:

cpe:/a:apache:ant:1.10.8:-:*:*:*:*:*:*

AND

cpe:/a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:flexcube_private_banking:12.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:flexcube_private_banking:12.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.3.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_symphony:7.2.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_symphony:7.2.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_symphony:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p5:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:patch1:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.2:p1:*:*:*:*:*:*

OR cpe:/a:ibm:control_center:6.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.5.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.1.1.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7986	P	ant-1.10.12-150200.4.12.5 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:111932	P	ant-1.10.10-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105500	P	ant-1.10.10-1.2 on GA media (Moderate)	2021-10-01