When `SecurityCheck.AccessLimiter` is set up, the instance of UA can be accessed by `new UAccessor` and `UnsafeAccessor` instances. Therefore, the main application should always set up `SecurityCheck.AccessLimiter` when `UnsafeAccessor` is used. In addition, the main application should set `SecurityCheck.AccessLimiter` to `UnsafeAccessor.UnsafeAccessor(java.lang.String)`. The patch in version 1.7.0 fixes this issue. This issue has been backported to version 1.4.0, which is the release prior to 1.7.0. Therefore, if you are using 1.4.0 or prior, you need to patch 1.7.0.

How to Patch shameless plug

If you are using shameless plug, the patch is easy. Download the bundle and replace it with the patched version.

CVE-2021-31138

When `SecurityCheck.AccessLimiter` is set up, the instance of UA can be accessed by `new UAccessor` and `UnsafeAccessor` instances. Therefore, the main application should always set up `SecurityCheck.AccessLimiter` when `UnsafeAccessor` is used. In addition, the main application should set `SecurityCheck.AccessLimiter` to `UnsafeAccessor.UnsafeAccessor(java.lang.String)`. The patch in version 1.7.0 fixes this issue and prevents a potential use-after-free vulnerability with UnsafeAccessor instances used by SecurityCheck implementations that have been patched by this change in 1.7.0.

Vulnerability Description

This patch addresses a potential security vulnerability that allows Code-Injection. The problem is that the `SecurityCheck.AccessLimiter` instance is not being set up when `UnsafeAccessor` is used in some cases. Therefore, code can be injected because the instance of `UnsafeAccessor` can still be accessed by new `UAccessor` and `UnsafeAccessor` instances. In order to fix this issue, `SecurityCheck.AccessLimiter` should always be set up when `UnsafeAccessor` is used.

CVE-2019-12811

In version 1.7.0 and prior, `SecurityCheck.AccessLimiter` is not set up when `UnsafeAccessor` is used by the main application. Because of this, there are security risks related to not setting up `SecurityCheck.AccessLimiter`. You should patch your application to include the fix in 1.7.0 so that your application will be secure as of release 1.7.0 or higher versions of the application

Timeline

Published on: 07/11/2022 19:15:00 UTC
Last modified on: 07/18/2022 16:01:00 UTC

References