CVE-2020-11979 Overview
CVE-2020-11979 is a temporary file creation vulnerability in Apache Ant 1.10.8 that undermines the security fix implemented for CVE-2020-1945. When using the fixcrlf task, Ant deletes a securely created temporary file and recreates it without the proper permission restrictions, allowing local attackers to potentially inject modified source files into the build process.
Critical Impact
This vulnerability allows attackers to inject malicious code into software builds by exploiting insecure temporary file handling, potentially compromising the integrity of compiled applications and their supply chain.
Affected Products
- Apache Ant 1.10.8
- Gradle (all versions prior to patch)
- Fedora 31, 32, 33
- Oracle Agile Engineering Data Management 6.2.1.0
- Oracle API Gateway 11.1.2.4.0
- Oracle Banking Platform (versions 2.4.0, 2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0)
- Oracle Data Integrator 12.2.1.3.0 and 12.2.1.4.0
- Oracle Primavera Gateway and Primavera Unifier (multiple versions)
- Multiple Oracle Retail products
Discovery Timeline
- October 1, 2020 - CVE-2020-11979 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-11979
Vulnerability Analysis
This vulnerability represents an incomplete fix for a previous security issue (CVE-2020-1945). Apache Ant 1.10.8 was released with a mitigation that changed the permissions of temporary files to restrict access to the current user only. However, this protection was inadvertently bypassed by the fixcrlf task.
The fixcrlf task is designed to convert line endings in text files between different operating system formats (CRLF for Windows, LF for Unix). During its operation, the task deletes the original temporary file that was created with secure permissions and creates a new temporary file without applying those same permission restrictions. This creates a window of opportunity where an attacker with local access can exploit the race condition to read or modify the temporary file contents.
Root Cause
The root cause is an implementation oversight in the fixcrlf task's temporary file handling mechanism. While the main Apache Ant codebase was updated to create temporary files with restrictive permissions (readable only by the current user), the fixcrlf task's file recreation logic did not inherit or apply these security measures. This creates insecure temporary files with default permissions that may allow other local users to access or modify the file contents.
Attack Vector
An attacker with local access to the build system can exploit this vulnerability through a Time-of-Check Time-of-Use (TOCTOU) race condition. The attack flow involves:
- Monitoring the system's temporary directory for files created by Apache Ant build processes
- Detecting when the fixcrlf task deletes the original secure temporary file
- Racing to create a symbolic link or replacement file at the same path before Ant recreates the file
- Injecting malicious content that gets processed as legitimate source code during the build
This attack enables modification of source files during the build process, potentially introducing backdoors or malicious code into compiled applications. The network attack vector classification indicates this can be triggered remotely through build systems that process external inputs.
The vulnerability mechanism involves the fixcrlf task's file handling sequence. When processing files, the task first creates a temporary file with secure permissions, then deletes it, and finally creates a new temporary file without the same permission restrictions. This gap in security allows unauthorized access to potentially sensitive build artifacts.
Detection Methods for CVE-2020-11979
Indicators of Compromise
- Unexpected modifications to temporary files in Ant build directories
- Unusual file permission changes in /tmp or system temp directories during builds
- Symbolic links appearing in temporary directories pointing to build-related files
- Unexplained changes to compiled artifacts compared to source code
Detection Strategies
- Monitor file system activity during Apache Ant build processes for unexpected permission changes on temporary files
- Implement file integrity monitoring on build servers to detect unauthorized modifications to temporary files
- Review build logs for fixcrlf task execution and correlate with file system events
- Deploy SentinelOne endpoint protection to detect suspicious file manipulation patterns during build processes
Monitoring Recommendations
- Enable detailed logging for Apache Ant build processes, particularly around temporary file operations
- Configure alerts for unexpected file permission changes in build environment temp directories
- Implement build artifact signing and verification to detect tampering
- Use isolated build environments with restricted local user access to minimize attack surface
How to Mitigate CVE-2020-11979
Immediate Actions Required
- Upgrade Apache Ant to version 1.10.9 or later which contains the complete fix for this vulnerability
- Review and restrict user access to build servers and systems running Apache Ant
- Implement isolated build environments using containers or dedicated build agents
- Audit existing build configurations for use of the fixcrlf task and assess exposure
Patch Information
Apache has released a fix for this vulnerability in subsequent versions of Ant. Organizations should upgrade to Apache Ant 1.10.9 or later. For Oracle products, consult the relevant Oracle Critical Patch Updates from January 2021, April 2021, July 2021, October 2021, January 2022, and April 2022. Gradle users should review the GitHub Security Advisory GHSA-j45w-qrgf-25vm for specific guidance.
Workarounds
- Set restrictive umask values before running Ant builds to limit default file permissions
- Use dedicated service accounts with minimal privileges for build processes
- Configure temporary directories on mounted filesystems with restricted access
- Avoid using the fixcrlf task until the system can be upgraded to a patched version
# Set restrictive umask before running Ant builds
umask 077
# Run Ant build with restricted permissions
ant -Djava.io.tmpdir=/secure/tmp build
# Alternatively, configure private temp directory
export ANT_OPTS="-Djava.io.tmpdir=$HOME/.ant-tmp"
mkdir -p $HOME/.ant-tmp
chmod 700 $HOME/.ant-tmp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
