CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn
The Apache Software Foundation
Apache Brooklyn 0.9.0 and all prior versions
Apache Brooklyn’s REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker’s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
Temporary mitigation if you cannot upgrade to 0.10.0
Do not visit websites with possible malicious content targeted at you in the same browser instance logged in to Brooklyn unless you have CSRF-POST protection installed in the browser (see 3). Do not share a Brooklyn server with untrusted users without an enhanced entitlements scheme. Do not publicize the address of Brooklyn-based UIs. If a link you click on takes you to Brooklyn unexpectedly, contact your security team immediately.
Attacker puts something like this into their malicious site:
<form action="http://<Brooklyn>/v1/applications/oadP4rZU/entities/oadP4rZU/name?name=hacked" method="POST">
If the user clicks on this when logged in, the name of that entity will be changed by the attacker.
This vulnerability was discovered by Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc., and reported to JPCERT/CC who reported them to the Apache Software Foundation on his behalf.