ballerina-platform/ballerina-lang used an insecure
TrustManager for HTTPS connections making clients vulnerable a to machine-in-the-middle attack (MiTM) and remote code execution (RCE).
The Ballerina programming language provides the bal tool for managing everything related to Ballerina.
Dependency management is done using the
search commands that allow to download/upload packages from the central repository or search for a package.
I’m focusing on the
bal pull command, the other sub-commands have the same problem and similar execution flow.
bal pull command is internally represented by the PullCommand class which will delegate the actual work to the CentralAPIClient#pullPackage method.
The pullPackage method then calls the Utils#initializeSsl method which claims to “initializes SSL” but actually enables an insecure
TrustManager (defined here).
TrustManager allows an attacker to create a self-signed certificate that matches the hostname of the intercepted connection.
After an attacker has forged such a certificate they can intercept and manipulate the requested package and include arbitrary code! Because the issue affects both downloading and uploading of packages this could also be used for a supply-chain attack.
Machine-in-the-middle attack. Remote code execution. Supply chain attack.
- 2021-03-08: Sent a mail to email@example.com.
- 2021-06-04: Issue is patched.
- 2021-06-22: CVE id is shared with me.
- 2021-06-22: Advisory is published.
This issue was discovered and reported by @intrigus-lgtm.
You can contact the ISL at
firstname.lastname@example.org. Please include a reference to
ISL-2021-001 in any communication regarding this issue.