oss-sec mailing list archives

Re: CVE request for the Play Framework

From: Will Sargent <will.sargent () lightbend com>
Date: Wed, 20 Jul 2016 09:15:26 -0700

In version 2.5.0 of the Play Framework a CSRF bypass that depends upon
an implementation bug in chrome's beacon api was fixed.


We think additional information would help in deciding whether this is
commonly recognized as a Play Framework vulnerability (which would
have a CVE ID) or Play Framework security hardening (which would not
have a CVE ID). Our understanding thus far is:

  - Play Framework is not an Atlassian product

  - https://github.com/playframework/playframework/pull/5527#discussion-diff-51786858
    says "In order to make Play's CSRF filter more resilient to
    browser plugin vulnerabilities and new extensions, the default
    configuration for the CSRF filter has been made far more
    conservative."

  - Chromium issue 490015 has some debate about whether it is a
    Chrome/Chromium vulnerability, e.g., "The issue is whether it's
    the browser responsibility to act as a nanny to weak websites, or
    we should leave weak websites as sacrifice for great justice."
    versus "To be clear, this is a security bug ... There is a
    security bug in Chrome, but no action is being done."

Typically, it would be best not to have a CVE for Play Framework if
the essence of the Play Framework problem is "the product did not
proactively add workarounds for all browser-level vulnerabilities that
might be discovered later."


Thanks for your review -- Play is proactive about security, but does
rely on the integrity of the browser to implement key security features
(CORS, Same Origin Policy, security headers, etc) for that functionality.

Regarding your other questions, Play Framework ("Play" for short) is an
open source project -- the source code is owned and licensed by
Lightbend.  You can read more about it here:

https://www.playframework.com/community-process#Implementation-decisions

For reference, there is a mailing list for reporting vulnerabilities at
security () playframework org.

The mailing list for receiving Play Framework security announcements is
at https://groups.google.com/forum/#!forum/play-framework-security

And the HTML page for viewing Play security advisories reports is at
https://www.playframework.com/security/vulnerability

Thanks,
Will Sargent
Lightbend, Play Team

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE request for the Play Framework David Black (Jul 12)
- Re: CVE request for the Play Framework cve-assign (Jul 15)
  - Re: CVE request for the Play Framework David Black (Jul 17)
- <Possible follow-ups>
- Re: CVE request for the Play Framework Will Sargent (Jul 20)