Skip to content

/ securitylab

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeQL query for disabled revocation checking #78

Closed
artem-smotrakov opened this issue May 9, 2020 · 2 comments
Closed

CodeQL query for disabled revocation checking #78

artem-smotrakov opened this issue May 9, 2020 · 2 comments
Labels
All For One

Comments

@artem-smotrakov
Copy link

@artem-smotrakov artem-smotrakov commented May 9, 2020

CVE ID(s)

The query found several places in Apache CXF and Cloudstack where certificate revocation checking was disabled:

Report

I added a query that looks for disabled revocation checking in Java, please see github/codeql#3436

Using a revoked certificate may be dangerous. One of the most common reasons why a certificate authority (CA) revokes a certificate is that the private key has been compromised. For example, the private key might have been stolen by an adversary.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I am planning to write a blog post about the query I wrote and catching such issues with CodeQL.
@artem-smotrakov artem-smotrakov changed the title [USERNAME]: [SUMMARY] CodeQL query for disabled revocation checking May 9, 2020
@anticomputer
Copy link
Contributor

@anticomputer anticomputer commented Jun 3, 2020

GHSL feedback: this query has a confirmed low false positive rate with a practical scope across a variety of projects as verified on LGTM. Security impact is application context dependent.
@xcorail
Copy link
Contributor

@xcorail xcorail commented Jul 6, 2020

Created Hackerone report 917453 for bounty 227490 : [78] CodeQL query for disabled revocation checking 🎉
@xcorail xcorail closed this Jul 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@xcorail @anticomputer @artem-smotrakov
You can’t perform that action at this time.