Securing the fight against COVID-19 through open source

A security vulnerability in Germany's COVID-19 contact tracing infrastructure, specifically in the Corona-Warn-App Server, was identified and addressed by the GitHub Security Lab using CodeQL technology. The vulnerability, a Remote Code Execution (RCE) flaw, could potentially allow attackers to execute arbitrary Java code on the server, thereby compromising the integrity of Germany's COVID-19 response. This issue arose from insecure Java Bean Validation practices, which were exploited through user-controlled violation messages. The vulnerability was located in the public and unauthenticated submission service of the server, where infected users upload diagnosis keys. The GitHub Security Lab collaborated with SAP to mitigate the problem by removing user-controlled inputs from violation messages and disabling Expression Language (EL) interpolation. The discovery and resolution of this vulnerability underscore the importance of open-source transparency and collaboration in ensuring the security of critical infrastructure. Despite the fix, GitHub's CodeQL queries continue to help prevent similar vulnerabilities from being reintroduced, offering an additional layer of security for Java projects on GitHub with code scanning enabled.