Vulnerability In Java Commons Library Leads To Hundreds of Insecure Applications

An anonymous reader writes: Stephen Breen from the FoxGlove Security team is calling attention to what he calls the "most underrated, underhyped vulnerability of 2015." It's a remote code execution exploit that affects the latest versions of WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software. How? An extremely common Java library. He says, "No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released over 9 months ago, none of the products mentioned in the title of the blog post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications.

FIRST POST

NIGGERS FOR SECURITY

Relations of two things

DICEDOT IS FOR NIGGERS. Slashdot is for white nerds. DICEDOT IS FOR NIGGERS. Slashdot is for white nerds.

OK

What else is new, if it's not fodder for hype and awe no one cares. This is a stupid premise for a /. story. This site has really gone downhill

Re:OK

You are mistaken. "This site" went downhill many, many years ago. It had long since hit rock bottom, and since the takeover has been drilling down to a rich vein of absolute vapidness. If you think the articles are trash (they are), then the comments are worth coming back to rubberneck every once in a while; they're so bad they make the articles look coherent by way of comparison. It's a pure unmitigated trainwreck of masturbating half-wits, truly a sight to behold. Turn off adblock and you get the icing on the cake, too!

Re:OK

[jones_supa]

Then can you show an example of some past Slashdot article and its comments that you saw being high quality?

Re:OK

Not from memory, it was far too long ago. However, the IA wayback machine gives suitable examples. I won't be drawn into a "no true Scotsman" fallacy over this, nothing is or was ever perfect. However, in the past the signal to noise ratio was much greater. Comments were generally helpful or useful, and offered genuine discussion from people who were actively involved in the topics under discussion and could offer an informed opinion. Yes, I was reading Slashdot back then (and earlier).

I'm guilty of snarking some comments myself, so I'm no innocent. I genuinely only read out of gross fascination at how lowbrow the site has become, and I don't mean that in an elitist way, I don't think anyone should sell themselves as short as the modern Slashdot.

So... flamebait? Maybe, I'm not adverse to posting trash on this rubbish heap. It's certainly not out of place here.

Re:OK

[obscuro]

https://soylentnews.org is a place the cool kids are trying to build out into something that does the old fun and useful /. stuff. So far, it's tough going. Obviously, the more the merrier. Come over and have an effect on the culture.

Test post

This is a test comment only, please do not respond to to this comment.

Re:Test post

fuck you

Re:Test post

This is a test fuck only. Please, do not respond to this fuck.

Fifth

Fifth post?

Re:Fifth

JAVA

Just
Allow
Vandals
Access

Yup! You're all gonna die

I heard from a friend you'd been messin' around
With a cute little thing I'd been dating uptown
Well I don't know if I like that idea much
Well you'd better stay clear I might start actin rough

You out of town guys sure think you're real keen
Think all of us boys here are homespun and green
But that's wrong my friend so get this through your head
We're tough and we're Texan with necks good and red

And it's Ki-yi-yippie-yi-yi
You long hairs are sure gonna die
Our American home was clean 'til you came
And kids still respected in the President's name

And the eagle still flew in the sky
Hearts filled with that national pride
Then you came along with your drug-crazy songs
Goddammit you're all gonna die

How dare you sit there and drink all our beer
It's made for us workers who sweat, spit and swear
The minds of our daughters are poisoned by you
With your communistic politics and them negro blues

Well I'm gonna quit talking and take action now
Run all of you fairies clean out of this town
Oh and I'm dog tired of watching you mess up our lives
Spending the summertime naturally high

ISIS is bombing passenger planes

ISIS is bombing passenger planes but this is all you nerds can think about. God I hope there's a war draft to get all you basement dwellers out front and center with the cold reality this nation faces. You cant build yourself a firewall from ISIS. You need guns, bombs and sweat equity in your nation's future survival. Sorry, nerds but sweat from masturbation does not count!

Re:ISIS is bombing passenger planes

[MobileTatsu-NJG]

If you are so enlightened why are you spending your Saturday night criticizing strangers over the Internet when you could be biting your nails in fear of ISIS? Clearly reckless panic will be effective, so lead by example!

Typical libtard SJW hypocrisy

Left at the hands of their own failed social experiments, they will blindly blame some of society's most fortunate - some of those even are society's most generous, Libtard SJWs will protest lack of attention to an issue. If they aren't out being fascists and shoving their view of the world down everyone's throat, then yes perhaps they may take the time to patch their own Java runtimes. Alas, like the Dice story says - If it's not presented with bells and whistles, then the libtard SJW has no such energy to dally with trivial bugs. Too many suffer as victims to brogrammer oppression and buttsex shaming. Carpet munching is OK.

YEAH

You are one of these stupid victims of the banksters, the weapons industry and McCain. Do a little research about who is behind ISIS and you will find that Ankara, Riad and some more Sunni-Mohammedic nations are behind this. ALL of whom are allies of the U.S.

Also, America sends shitloads of weapons into Syria, while pretending that these weapons do not fall into the hands of ISIS.

So, Mr Idiot, keep doing the victim for some powerful Mohammedic and Elite (Charles Battenberg and the Clintons got their cut from Riad as much as the Bushes) interests. Meanwhile we keep out of this scam and masturbate in front of our tablets. You can have a limb blown off in Arabia, if you want to further the interests of the corrupt elite.

Re:YEAH

Being retired, Im definitely a victim of the banksters LOL

Re:YEAH

Thanks to this bug I can see a whole bunch of you masturbating in front of your tablets right now!

Re:YEAH

Being retired, Im definitely a victim of the banksters LOL

At least old fucks like you will GET TO retire. The Baby Boomers fucked that all up for the Millinials. I wonder how they feel, being the first modern American generation to give their grandchildren no future? I hope that conforts them when they lie dying in a hospital bed from some kind of lifestyle disease...

Re:YEAH

[ColdWetDog]

Thanks to this bug I can see a whole bunch of you masturbating in front of your tablets right now!

That would definitely be a bug, not a feature.

Re:YEAH

Wah wah wah, I'm a millenial, my life sucks. wah wah wah.

I wonder how you feel, knowing you're a whiney stupid shit.

Re: YEAH

I hope you die in a fire.

Re:YEAH

And you've got a rock-harder 1-incher just like them. Do you need me to pass the tweezers?

Another example of why Java sucks

Java sucks and is slower than C++ and magnitudes slower than C. I have no idea why anyone still uses this bloated, security ridden language paradigm. This is barely news as everyday Java vulnerabilities are found and exploited.

Re:Another example of why Java sucks

[Kartu]

Magnitudes slower means "10-100-1000 times slower" which is BS.
Java's main problem is memory footprint, not execution speed.
Which is on par with C++ code, unless you do extreme object allocate/GC or use sin/cos (which used to be done NOT using CPUs capabilities, leading to much slower code. All to guarantee exactly the same result across platforms)

Re:Another example of why Java sucks

I would say magnitudes is correct. Not in the 100 range, but 10-20 seems accurate enough from the practical tests I've done.
Now, part of the problem could be that I don't feel comfortable with the Java documentation. I can never figure out how different methods are implemented so it's hard for my to judge if one way to solve a problem is slower than another and when to use one over the other.

Re: Another example of why Java sucks

Comparing C++ and Java is like comparing Assembler and C++. Why dont you use assembler over C++? Same reason why ppl use Java over C++. Plus it depends on what you are developing. C# vs Java thats different story but C# has similar up and downs as Java. So this discussion is kinda pointless.

Re:Another example of why Java sucks

[binarylarry]

There are so many scenarios, some where Java is faster than C++ and somewhere it is slower.

To make some kind of blanket statement makes you look like a moron.

Re:Another example of why Java sucks

There are so many scenarios, some where Java is faster than C++ and somewhere it is slower.

That sounds like a blanket statement to me...

Re:Another example of why Java sucks

I don't know "so many" but multiple small allocations/deallocations is one example.

Each new/delete is a rather complex system call, no matter how little you allocate. In case of Java it allocates quite efficiently from its internal reserve (which isn't that much of an improvement, but still some) and performs bulk GC instead of deallocating each item separately (which is a big improvement).

Garbage Collector in a lot of cases is a liability, especially if it obscures memory leaks and introduces hiccups in systems that should behave smoothly (multimedia/games). But in this particular scenario it outperforms multiple manual deallocations by strides.

Re: Another example of why Java sucks

[binarylarry]

That's because you apparently can't follow a conversation.

Re:Another example of why Java sucks

[God+of+Lemmings]

C++ maybe, but never C. Its simply not possible.

Re: Another example of why Java sucks

[binarylarry]

C++ applications can and do use GC just like Java does. The difference is you can choose how you manage memory.

Your post doesn't really make much sense.

Re:Another example of why Java sucks

[vipw]

new and delete don't generally make system calls. The system call is brk(), and it's only needed to resize the heap. The C and C++ runtimes also allocate a large heap at startup, and will only resize it when it approaches exhaustion.

Basically, the entire point of your post is lost because it is based on a misunderstanding.

Re:Another example of why Java sucks

[GodelEscherBlecch]

I am almost impressed at your epic failure of both reading comprehension and logic. Also, who the hell chooses Java for speed? Java has benefits and detriments. If you think you can say C++ > Java just because you wrote some big loopy tests, you are even dumber than your above statement makes you look.

Re:Another example of why Java sucks

[GodelEscherBlecch]

The garbage collector only obscures memory leaks if you look for them in the wrong place. If you actually took the time to learn how something works before dismissing it, you might find that profiling the JVM heap and backtracking excessive object allocations / orphanings is about the easiest problem one can detect / solve in a Java application. And who the hell is using Java for gaming/multimedia? No wonder you disliked the screwdriver with which you attempted to hammer a nail. I might as well say that C++ is shit because it takes too long to build a web UI or implement an enterprise BPM engine.

Re:Another example of why Java sucks

It's always possible to engineer a micro-benchmark where language X does worse than language Y.

For example, the favorite that "proves" C++ is more performant than C is comparing qsort to std:sort. But that only proves that the C++ standard library has more functionality than in C. Applying that logic, Torch destroys C, C++, and Java because it will dynamically compile and execute algorithms on GPUs.

Too much hype for what it actually is

[Kartu]

Your app needs to be accepting Serialized Java objects as input.
Yay.
Never seen that used in any project I was part of and if that would happen security concerns alarm would ring in pretty much any competent team.

Re:Too much hype for what it actually is

Exactly! He makes it sound like all Java app servers are pwned, but when you read TFA, he attacks managament traffic, like JMX.
Raw object serialized traffic (like RMI) should not be exposed to the outside, that's just asking for troubles.

Re:Too much hype for what it actually is

Your app needs to be accepting Serialized Java objects as input.

Agreed - this is not a "Java" security vulnerability - this is working as designed. Its the responsibility of the application owner to either:
1) Reject any user input of serialized objects
2) Accept said user input and sanitize it.

The applications they found the exploits against is the more interesting part of the story - as they are not sanitizing said input.

For WebSphere Application Server - it looks like this was fixed back in April - though I'd have to contact IBM to be certain.
http://www-01.ibm.com/support/...

Other vendors I'm not as familiar with - but I would hope took similar actions.

Re:Too much hype for what it actually is

[DarkOx]

2) Accept said user input and sanitize it.

Good luck with that! its like accepting user input that you are going to insert into a javascript string to write back to the client in a web application. No matter what you have done to sanitize it there is still almost always a hole. You just can't safely inject user controlled content into an interpreter or execution context, less the syntax is really well defined and limited. Consider SQL injection, SQL syntax and grammar is pretty specific yet it too 10 years before functions like 'escapestrings' became dependable in major frameworks and everyone had rightly moved on to tools like parametrized queries or solutions like linq by then.

Thinking you can take a object as an external input from anything but a trusted source is asking for trouble. If you do trust the source than the input domain is probably limited to begin with and there is almost certainly a better way.

Re:Too much hype for what it actually is

[binarylarry]

Yeah but hyperbole sure helps your security company get more web traffic.

That's the real vulnerability.

Re:Too much hype for what it actually is

[roman_mir]

More than that, your application has to be accepting not simple data objects, but classes with executable methods and then those need to be executed.

Of-course there are management tools that can do that (likely for bad reasons), but this also requires that the management tools are accessible from the outside and have no security around them.

Re: Too much hype for what it actually is

The requirements are not as steep as you're outlining.

All the app has to do is accept data and attempt to deserialize it using the standard methods, that's it, that's the only requirement. A lot of things (across many languages) do this. This is also where the actual issue lies (deserializing unvetted data).

It's also quite hard to actually validate it. By the time the data is deserialized, the exploit has already run, so validating after the fact doesn't help. You either have to MAC the data and verify it before deserializing (only works in situations where the client isn't supposed generate or manipulate this data) or do some crazy gymnastics with the the deserializing stuff to restrict what kinds of objects it will allow to be deserialized.

Re:Too much hype for what it actually is

[i.r.id10t]

Thinking you can take a object as an external input from anything but a trusted source is asking for trouble.

I think you mean to say

Thinking you can take anything as external input from anything but a trusted source is asking for trouble.

Anyone have that XKCD about Bobby Tables handy?

Re:Too much hype for what it actually is

[Gr8Apes]

This is not a Java security vulnerability, this is (yet another) commons vulnerability. Every project I've been on since 2006 has banned all use of all commons components across the board. That library set is a virtual shit-pile of crappy ugly hacks and bugs waiting to bite you. There's no reason to import a library to do an empty string check for example. Either cut and paste that function/class into your codebase or write your own and own it.

Re:Too much hype for what it actually is

SQL injection is trivially thwarted by using bind variables; which is also a good practice to conserve CPU resources.
Also on all the web projects that I have been; inputs were sanitized using our own function, and it was mandatory.
Both are trivial to write and use; and require some additional effort.

We shouldn't blame the programming languages for programmer laziness and incompetence.

Re:Too much hype for what it actually is

[GodelEscherBlecch]

So let me get this straight: You ban commons. You copy what you were using from commons into your own codebase (hint: this also was all you were using of commons it when you still had it). To hold to your insane 'not invented here' paranoia, you must also have banned all other projects that use commons as a dependency. So, you copy from those projects what you use, then make it use your own 'commons', or maybe you re-implement them wholesale. You rest assured in the knowledge that nasty commons code which you were not invoking will not wake up and start doing evil things all on its own, and that all of the wonderful proprietary wheels which you have re-invented are all sure to be 100% vulnerability-free because you wrote them. ??? Profit You are a genius.

Re:Too much hype for what it actually is

[Gr8Apes]

Actually, a project using commons is questionable right off the bat. The commons libraries have so many problems it's almost always better to avoid them. Commons logging is a travesty that should have been wholesale replaced long ago, yet it is still "current" and even had a relatively recent nonsensical updates that appear not to address some of its core issues. For a nice read while old, appears to still be the core of commons-loggings problems. You'll note that Craig McClanahan was involved in this, as with Digester, another pile of pain if you want to do anything dynamic. In fact, I'd go out on a limb and state that everything Craig did works statically only, if you're doing any long-running systems with mutations, you'll be debugging and altering anything he wrote (I've been through Tomcat, JBoss's adaptation of Tomcat's core, Struts, Commons-Digester and Commons-Logging among other libraries, so yes, I do indeed know what smells under the covers regarding his work)

Considering the bugs in those libraries, I'm pretty sure proprietary code is not any worse given my own history.

Re:Too much hype for what it actually is

totally. this guy is a raving loon.

Re:Too much hype for what it actually is

[Richard_at_work]

Is there such a thing as a trusted source?

Java sucks

Next story please

Not a vulnerability in Java Commons Library

[artbristol]

The linked article takes a lot of words to get to the point, which is that "WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software." will deserialize arbitrary user-supplied Java objects. To exploit that, you just provide a serialized class from commons-collections which (by design) executes the class's code during its deserialization process. If your application doesn't whitelist the classes it deserializes from an untrusted user, you deserve everything you get.

Re:Not a vulnerability in Java Commons Library

[mridoni]

Yes, whitelisting will help, but only up to a point: unless you implement some signing mechanism or sanitize your input, there's no way you can be sure that the class com.mynamespace.whatever you're deserializing is actually not harmful, even if it apparently is in the right namespace, and has the correct method signatures.

This is just another example of a useful feature leading to a "broken by design" implementation due to an oversight in planning and coding.

Re:Not a vulnerability in Java Commons Library

[squiggleslash]

If your application doesn't whitelist the classes it deserializes from an untrusted user, you deserve everything you get.

Define you and your here! How many people do you think will be hit by this who had any role whatsoever in the development or design of the standard install of the application concerned.

I think there's a lot to be concerned about here. At the very least:

- It should be easier to update a single library for a range of Java applications
- It should be easier to distribute security updates for Java applications and libraries
- Java's serialization scheme, in assuming that anything in the classpath would constitute a valid object to be deserialized, needs some rethinking.

I'm curious to know whether many/any other languages are in a similar situation. I've certainly seen some cryptic crap in the past generated by PHP that's supposed to be an implementation of something similar, but never investigated it in detail. It might be done right, which would be a miracle if it's PHP...

I'll be honest, I never fully trusted Java's serialization and always chose to design output formats instead. A lot of developer co-workers felt I was creating work for myself, and my main motivation was to have a format I (and others) could understand and debug, but - hey, understanding is half the security battle.

Re:Not a vulnerability in Java Commons Library

Ehm, Java serialization doesn't work like that. There is no code going over the wire. Just references to classes that the attacker hopes are already present on your classpath, and the data to fill them with. It happens that some classes that you might already have in your classpath are dangerous when used in this way.

Re:Not a vulnerability in Java Commons Library

To exploit that, you just provide a serialized class from commons-collections which (by design) executes the class's code during its deserialization process.

To add some details, when you deserialize a class in Java, your program needs to have the ".class" file for each class that it deserializes - that is, your programs already has the methods for the class: what it is reading in is the data for that class.

Now, apparently there's a particular class in the "commons collections" library that executes some of its data as a system command - when the class is first loaded, no less. So if your program can be tricked into deserializing a malicious version of this particular class then your program can be made to run arbitrary system commands. If your program doesn't have the "commons collections" library in its class (library) path then your program is safe (at least from this particular vulnerability). But it's a fairly common library - though fortunately not part of the standard Java runtime libraries.

I know there a lot of Java programmers who like to pull in all kinds of libraries that they don't really need. But, personally, as much as possible, I try to limit myself to the standard Java runtime libraries - and, for a webserver, just of the few of the core servlet libraries - i.e. provided by a bare tomcat install. I've seen too many Java-based websites get hacked because the programmers insisted on pulling in some obscure and unnecessary convenience library that turned out to have a nasty security vulnerability.

Re:Not a vulnerability in Java Commons Library

- Java's serialization scheme, in assuming that anything in the classpath would constitute a valid object to be deserialized, needs some rethinking.

Just set a secure system class loader on program start using the -Djava.system.class.loader= flag or isolate untrusted paths with a child class loader in your application code. This is not an issue with Java itself, the APIs have secure variations, there is a standard way to sign and verify trusted class files and there are tutorials on how to do it. The problem is signing and verifying classes adds a minuscule amount of (fully automated) complexity on top of everything else so it isn't done until someone gets bitten by it.

Re:Not a vulnerability in Java Commons Library

- It should be easier to update a single library for a range of Java applications
- It should be easier to distribute security updates for Java applications and libraries

Both are super easy assuming your libraries are backward compatible (e.g. that update really just fixed security issue and does not break the code). And the problem of backward incompatible updates can not be solved by anyone except library maintainer.

Re:Not a vulnerability in Java Commons Library

Yep.

Specifically, somebody at commons collection figured it would be a good idea to have a serializable class that will call through reflection any arbitrary method with any parameters as specified in the deserialized data. Send Runtime.getRuntime().exec(... whatever ...), done.

This is absolutely a problem in commons-collections. This functionality is inherently unsafe, and of use to like 5 people out there, all of which can code the 5 lines required to do this on their own.

The fact that a way was found to trigger this during deserialization itself, instead of triggered by a method call later, is just icing on the cake.

Re:Not a vulnerability in Java Commons Library

[ChaseTec]

The type of class loading you are talking about would only happen when using object serialization with RMI and codebase setup to allow for dynamic class downloading. Object serialization only sends the data portion of an object. If you want to know more you can look at how the format works: http://docs.oracle.com/javase/...

Re:Not a vulnerability in Java Commons Library

[ChaseTec]

In an object oriented language an object is a combination of data and behavior (methods). If you want to transfer data across the wire with an object oriented system the natural place to put that data is into an object. Not trusting object serialization originates from a lack of knowledge on what is happening and you should educate yourself. Everything you want to know about serialization is here: https://docs.oracle.com/javase...

What you are doing by designing your own data formats is adding inherent whitelisting. Your reader/parser probably does a "new" on a specific set of classes. That prevents the type of vulnerability (arbitrary class loading) being discussed in the article but also requires you to reinvent the wheel for every data format.

You could have been using http://docs.oracle.com/javase/... to serialize data since that would give you an easy way to inspect the data type before recreating. You can even setup inspection/whitelisting with traditional object serialization if you wanted to: http://www.ibm.com/developerwo... .

Nowadays JSON is a pretty universal data format for wire transfers. You can deserialize JSON to trusted data-centric classes like Map, List, String, Integer, etc. That would give you universal encoding/decoding without arbitrary class loading. Unless you are required by a 2nd party to use some proprietary wire format there is no reason to roll-your-own encoding/decoding.

Re:Not a vulnerability in Java Commons Library

[angel'o'sphere]

And the article is wrong with that.

First of all: serialized objects are only exchanged between servers that agree to that each other. In other words your computer is sending requests to my computer, and I answer only if I know who you are and vice versa.

Serialized objects in Java is no difference than SOAP requests or JSON objects, or CORBA or other means to do RPC/RMI.

In other words: you simply can't attack my App via the web/HTML/Forms just because it is running on a WebSphere EJB Server. No one is going to input a serialized object into a random field in a web form and the server is "executing" it.

Finally: serialized objects are just data, they contain no code. So there is nothing to execute. If you read the article, you see: the only code executed is the "readObject" method that already is on the server!!

Could you craft such an exploit to actually do exploit something? Yes, if the host in question trusts you, AND if you know a good deal about the software running there.

First of all: there is no outside code executed when you transfer an object, the article is wrong with that. So you need a way to execute your code. The only way I can imagine is: you provide objects of derived classes. E.g. if on the server a class "Customer" exists and you are regularly sending serialized objects of that type to the server, you could send a "DerivedCustomer" object, because only then the server would hick up and say: no idea how to deserialize that! I have no class called "DerivedCustomer" and the server tries to download that one from you, with a so called RemoteClass loader. Now if you have some rogue code in a simple method like "getCustomerID()" of course you can execute that.

However, as I explained in the beginning ... somehow you have to convince the server and its owner to load serialized objects from you: how do you do that?

Re:Not a vulnerability in Java Commons Library

Actually, if you'd read the article more carefully, you'd see that it is uploading code. Shell code.

The way it works is this:

When java wants to serialize an annotation, it doesn't actually do that. Annotations are not serializable. Instead it sends a proxy. A specific one called AnnotationInvocationHandler. The purpose of this is to make sure that the downloaded annotation behaves like an annotation (equals, hashcode and so on, for instance it clones array before returning them). This proxy contains a map of the annotation's values. During deserialization Java checks that the values in this map are of the right type. To do this, it needs to get them.

Enters commons-collection. This contains a specialized map that allows values to be lazily created or modified as required, using the Transformer interface. Fine.

The problem is that someone thought it would be a good idea to have a transform that:
a) is serializable;
b) calls arbitrary code using reflection based on the serialised strings!

What the exploit does is pass in a AnnotationInvocationHandler that contains a crafted commons-collection map that contains a few chained InvokationTransformer that in effect invoke Runtime.getRuntime().exec(shellcode). "java.lang.Runtime", "getRuntime()", "exec" and "shellcode" all being serialized parameters.

Game over.

One could argue that the AnnotationInvocationHandler should maybe vet the Map type.
One could also argue for whitelisting - except usually people drag in commons-collections because they want to use these collections.
But fundamentally, the problem is with this InvokationTransformer. There's no good reason to have a class running reflection from deserialised state. That's just asking for trouble.

As for convincing the server to accept them, well, that's fair enough. The problem is that quite a few of those servers will by default accept RMI connections, sometimes over the internet, for management purposes.

Re:Not a vulnerability in Java Commons Library

[bbn]

Finally: serialized objects are just data, they contain no code. So there is nothing to execute. If you read the article, you see: the only code executed is the "readObject" method that already is on the server!!

Did YOU read the article? The serialized objects are just data - well except if someone made a readObject that as part of the deserialization process executes steps based on that data. Programs are just data.

The "bug" is that someone did exactly that and put it into a very common library. If you have that library on your classpath, and chances are very high that you do, then you have no defense against this. You lose the moment you try to deserialize the data. It does not matter that you are expecting the data to deserialize to something completely different.

Say you make a class called UserInfo and put that into a cookie using serialization. If you did that, you are a goner. There is no way you can deserialize that cookie without risking that somebody replaced the cookie value with serialized data from Apache commons. You will not know that it is not actually UserInfo data anymore until after he rooted your system.

The only solution is to a) do not deserialize data that could be modified by an adversary. Or b) if you must, make sure Apache commons is not on the classpath while you do so (could be done with a custom classloader).

Personally I would ditch the build in java serialization and use another serialization library, one which does not allow arbitrary class names in the serialization data. I switched to Scala long ago and in the Scala world most serialization libraries do not use reflection to (de)serialize, and therefore fulfill that requirement.

Re: Not a vulnerability in Java Commons Library

[GrantRobertson]

This! Plus:

Java is perceived to be more vulnerable for the same reason it is more popular ... More comes "in the box."

The Java language comes pre-packaged with a huge set of libraries. C and C++ are really nothing more than concepts. You install a compiler that implements the concept. So, if the compiler has a vulnerability or bug, people blame it on the compiler. Libraries, toolkits, and frameworks are available for C and C++. However, they too are perceived as separate from the languages. So, if said "accessories' have bugs, people blame it on the accessories rather than the language.

C and C++, by definition, cannot have bugs because the are merely concepts. "Java," by its definition as a concept as well as an entire ecosystem of actual code is bound to have infinitely more bugs than C or C++.

When people blame the Java concept and ecosystem as a whole for bugs that exist in one or two of said "accessories," it just shows me they haven't learned how to use that wet, squishy thing just below their hair-product display area.

Re:Not a vulnerability in Java Commons Library

[angel'o'sphere]

Did YOU read the article? The serialized objects are just data - well except if someone made a readObject that as part of the deserialization process executes steps based on that data. Programs are just data.
Did you read my post?

That readObject method is not in the serialized objects: it needs to be already on the server!

There is no way to smuggle code via deserialization into the computer that is accepting the objects except the way I sketched in my post.

Re:Not a vulnerability in Java Commons Library

[bbn]

readObject is not something on the server, it is just a method signature defined by the serializable interface in the Java standard. The vulnerable code needs to be on the server of course, or there is nothing to abuse. The vulnerable code is in the Apache commons library, which has a class that implements serializable and therefore provides a readObject method, that can be abused.

But then you write something like "Serialized objects in Java is no difference than SOAP requests or JSON objects, or CORBA or other means to do RPC/RMI". But that is completely wrong in this context. The reason we have this bug is exactly because there is a difference from java serialization and all of the others that you mention. And that difference is that the serialization data includes arbitrary class names that allows the attacker to cause your code to load _any_ class that implements the serializable interface, no matter if that has anything to do with what you are working with here or not.

If you use JSON you will not have that. JSON can only cause strings, numbers, arrays and hashmaps to load.

This is also wrong: "Finally: serialized objects are just data, they contain no code. So there is nothing to execute. If you read the article, you see: the only code executed is the "readObject" method that already is on the server!!" - yes the exploit is in a readObject implementation, but that exploit allows the attacker to transmit arbitrary code and have it executed. Code that was in no way on the server already.

"First of all: there is no outside code executed when you transfer an object, the article is wrong with that. So you need a way to execute your code. The only way I can imagine is" - or the way the article describes. Which is not a derived object. He sends a serialization of a completely different object, namely the vulnerable class in Apache commons. The deserialization in Java just returns "Object" - there is no expectation here that the returned object be of the type that you, the programmer, expects. You will then of course get a class cast exception if you just cast it, or your code will notice something is not right if you do a isInstanceOf on it. But by then it is too late, he already had his custom code executed by Apache commons when the readObject method in there was called.

You need to know absolutely nothing about the system you want to attack. You only need two things, one is for the system to be vulnerable (=Apache commons needs to be on the classpath) and the other is that you need to find something the system serializes. You do not need to care about what it is that it serializes, because you will provide it with your hacked object, and the deserialization will fail but by then you already got what you want.

So if your web application does not use serialization the second prerequisite will fail and you are safe. But if you did something like putting a serialized object into a cookie, then you are done for.

Re:Not a vulnerability in Java Commons Library

- Java's serialization scheme, in assuming that anything in the classpath would constitute a valid object to be deserialized, needs some rethinking.

Not really. There's already several alternative, restricted serialization standards to choose from. You've got JSON and msgpack just OTOMH. It's not like you can't pick a secure interchange format when needed, and the freedom such serialization scheme gives you may be an important feature in trusted contexts.

I'm curious to know whether many/any other languages are in a similar situation. I've certainly seen some cryptic crap in the past generated by PHP that's supposed to be an implementation of something similar, but never investigated it in detail. It might be done right, which would be a miracle if it's PHP...

Python has the same issue. Python's pickle format is a bytecode virtual machine that allows arbitrary execution. It's widely advertised as insecure for untrusted input where you should use one of the alternatives mentioned above.

Re:Not a vulnerability in Java Commons Library

In an object oriented language an object is a combination of data and behavior (methods). If you want to transfer data across the wire with an object oriented system the natural place to put that data is into an object. Not trusting object serialization originates from a lack of knowledge on what is happening and you should educate yourself.

I would say not trusting object serialization is a result of educating oneself precisely. It's perfectly fine to not trust insecure implementations. It would be in fact lack of education to actually trust it.

Re:Not a vulnerability in Java Commons Library

[GodelEscherBlecch]

Once, just once I would like to see somebody here discuss Java that actually knows how the fuck it works.

Re:Not a vulnerability in Java Commons Library

[angel'o'sphere]

I stand corrected.

I read the slides mentioned in the article, they are much easier to understand than the article itself, and I have to admit, I stopped reading the first time shortly afte the authors catchy claims:
"Java loves to ...
serialize objects in HTTP requests etc.
"
When Java actually is just a language and a platform ... and does nothing the programmer did not program.

Anyway, we three things:
a) the vulnarability is imho not a vulnarability but a deliberately crafted backdoor. If the author can be found via the SCCS, he should minimum ne banned from contributing or even criminal prosecuted
b) my thought process, even under the knowledge that there is a flaw in the commons lib, was wrong. First of all I never came to the idea that one indeed would serialize objectes into cookies or do similar nonsense with them. See c)
c) I was more thinking about RMI, where I basically call a method like:

      remoteEndpoint.myMethod(new MyPayloadClass(), some, other, args);

As the method signature is defined in the remote interface of the server, my thought process was: the server will reject the payload if it is of the wrong tyoe and throws an RemoteException.
Problem: the call and/or the exception happens after the deserialization. So the bad code in apache commons already is executed. Or perhaps easier explained: such a remote call works basically in the following steps
1) a normal method call to a stub method on the client side
2) the RMI/serialization framework serializes the parameters and the name of the interface and the name of the method to call into a 'blob'
3) that blob is send via the network
4) now the harm begins: before being able to to know if the recieved data matches the interface, it needs to be deserialized. If an attacker sends instead of MyPayloadClass and EvilCommonsObject, the deserialization will execute what ever commands are hidden inside EvilCommonsObject
5) the remote call is deserialized, the RMI framework now can deside which method to call, if it exists and if the parameters match, the call is either executed and its result or exceptions are send back, or the call is rejected with an exception.
As we see, the harm was in step 4) and the attacker would not care about step 5) anyway.

Thanx for persisting on the topic. Someone never stops learning new tricks/pitfalls.

Why do the refuse to name the library?

Is it because it doesn't exist? Because this is just yet another spew of lies from the anti-tech Republicans. They hate us and want us to die. They hate us so much they make me want to die, as I assume many of you do too. That is the way of their kind. Spew out a bunch of lies to destroy the lives of others. Lives of others.

Re: Why do the refuse to name the library?

You're probably right since I have never heard of on of those selfish Java developers sharing code. They're so greedy. Being around their kind makes me ill. They are so CONservative.

Re: Why do the refuse to name the library?

The GOP truly is the party of death.

Re: Why do the refuse to name the library?

Spew is correct. Java morons don't share code so this is a lie which is why they refuse to name the library since it doesn't exist.

Re: Why do the refuse to name the library?

The media lies constantly since they are owned by the Republicans.

Re: Why do the refuse to name the library?

Their kind doesn't believe in free press. They are not whole people.

"Monkey Island" - Now it has a name!

[burni2]

Can you deal with the details, now ?

Because it has gotten a name.

Or is "Bad Coffee" better?

JAVA is intrinsically safe!

This must be 100% bullshit! JAVA is by design 100% safe and we all know it. Stop trolling!

Re:JAVA is intrinsically safe!

What's that JAVA you're talking about? A variant of BASIC or FORTRAN or FORTH?

This article is about Java.

Re:JAVA is intrinsically safe!

This article is about Java

A variant of BACKDOOR.

Go away greenwow

You are an idiot

remote code execution expoit, but

[nmpg]

Well, nobody really exposes mentioned software to the internet, right? For instance, It is accepted as good practice to have nginx used a request router, which kinda lowers the impact of this exploit, or am I am wrong?

Re:remote code execution expoit, but

[myowntrueself]

Well, nobody really exposes mentioned software to the internet, right?

For instance, It is accepted as good practice to have nginx used a request router, which kinda lowers the impact of this exploit, or am I am wrong?

'remote' doesn't just mean 'the internet' it can also mean 'local network'.

C vs C++

A bit old, but:
http://unthought.net/c++/c_vs_c++.html

Not a Java, or even a library vulnerability

[kervin]

We were corrected by Mr. Frohoff that said the vulnerability is in how developers treat user-supplied serialized data, and not the library itself.

http://news.softpedia.com/news/the-vulnerability-that-will-rock-the-entire-java-world-495840.shtml

This is an issue with how some users use a 3rd party library Apache Commons Collections. Java doesn't have to be fixed. And Apache Commons-Collection doesn't have to be fixed, except maybe stating the obvious...

Do not deserialize objects with executable code from the internet.

Re:Not a Java, or even a library vulnerability

[PPH]

There's a warning right there in the org.apache.commons.collections.Limb.Foot documentation about calling the doShoot() method with unsigned copies of org.apache.http.client.Bullet.

Re:Not a Java, or even a library vulnerability

[cbhacking]

Apache Commons Collections contains an arbitrary shell command injection vulnerability reachable from the readObject function of one of its Serializable classes. Due to the way Java deserialization works, any Serializable class can be specified in a serialized Java object format, and unless there's code filtering the serialized binary data before deserializing it, that's enough to trigger the exploit.

Saying "Do not deserialize objects with executable code from the internet." sounds like a solution, but Java deserialization of objects passed on the wire is everywhere, and often even used pre-auth. Some of these things are management interfaces that definitely shouldn't be exposed to the Internet, but most of them will be exposed to the local network and that's still bad (arbitrary code execution in a server's management interface, callable by anybody who has access to the internal network even if they have no creds).

Fixing Commons Collection so that it can't be used for shell command injection would be a much more proper fix. Deserializing Java objects from the Internet *shouldn't* be dangerous; the simple act of deserializing an object should never inherently by harmful! Remember, the attacker can't force you to call any method of those objects. The attacker can't send objects that you don't already have class definitions for. The attacker can't add functions, or otherwise modify the class definitions. The only thing the attacker can be sure will happen is that the readObjection method - if it exists for the class in question - will execute. That's it. That should *NEVER* be enough to get arbitrary code execution!

Re:Not a Java, or even a library vulnerability

Well , I never use apache things personally. They smell bad.

mod 3own

pr0gress. In 1992, ago, many of you

Dead language.

Just delete Java, seriously. Oracle is never going to keep it secure. Deleted from my PC at least two years ago for security reasons and have never looked back.

Re:Dead language.

[Ash-Fox]

It's not an Oracle issue though, it's how developers are using a 3rd party library.

Re:Dead language.

[GodelEscherBlecch]

Holy shit. Do you actually think that this has anything to do with the Java that is installed on your computer? To be safe, better go ahead and delete that OS too!

Would it kill you to mention the vulnerability?

[shess]

Is it so subtle and insidious that it is simply impossible to name? Or do you just not understand what you're reading?

[Here, let me give it a go: Basically apps blindly trust network input and let it run in their execution context.]

[[Though I suppose when you put it _that_ way, you can't spend your time implying that it's somehow Java's fault.]]

Re:Would it kill you to mention the vulnerability?

[phantomfive]

apps blindly trust network input and let it run in their execution context

If you put it that way, you've basically described every remote execution exploit. You ought to mention that it's in the de-serialization library (although the writers of the library would say, "you're holding it wrong").

Re:Would it kill you to mention the vulnerability?

[cbhacking]

It's an OS commend injection vulnerability. Deserializing an object should not, by itself, ever execute arbitrary code. The only function that automatically runs on a deserialized object is that object's readObject function, which should in no way be usable to execute an arbitrary OS command. Apparently the writers of this library would find that concept bemusing.

This isn't a matter of

Deserialize the object, see if it's an instance of FootGun, and if so call its shoot() function. We're just that stupid.

This is more a matter of

Well, we expect an object of type Foo, but it should matter what it is as long as we don't call any functions on it and it can only be something in our server's classpath anyhow. Let's deserialize it to see what it is. Huh, it deserialized to a FootGun instead, and for some reason the FootGun class automatically calls shoot() upon deserialization!
 
  Why the fuck do we even have a self-firing FootGun in our classpath, anyhow?

In case you missed it, the Apache Commons Collection library is, for some reason, shipping a self-firing footgun. They should patch that.

Re:Would it kill you to mention the vulnerability?

[phantomfive]

Deserializing an object should not, by itself, ever execute arbitrary code. The only function that automatically runs on a deserialized object is that object's readObject function, which should in no way be usable to execute an arbitrary OS command.

Yeah, allowing arbitrary OS commands to be executed during deserialization violates the principle of least astonishment.

How to whitelist classes

[ChaseTec]

Here is an example of how to whitelist classes by subclassing ObjectInputStream: http://www.ibm.com/developerwo...

Not a big JAVA fan here but... apk

See subject: At least this was caught to be patched. That's the important thing (hopefully before it was or can be misused maliciously).

I code in it - but I don't *REALLY* like it. Not so much the code, it's close enough to C++ for me to be @ home with it. It's more the promises made about it (yes, it does do garbage collecting cleanup vs. having to potentially "delint" C or C++ code on new-malloc/delete - to dispose of memory or object references) but it's more the whole runtime slowup that bugged me... sure, it's nice to have that "crutch" to support you, but the runtime speed hits overheads always bothered me. Why?

That doesn't HAVE to be there IF/WHEN you do it yourself, manually, in code.

I have a job offer in fact for JAVA coding for a BIG finanicial concern in my area I've done contract work for before, but I've turned away from it for these reasons (I only work part-time nowadays is why too: Semi-retired): I don't want to be responsible for OR be involved with something that has a faulty trackrecord where big money is involved...

* Feel free to correct me if/when I made any mistakes here, I haven't had my coffee yet today... I don't express myself well & miss things in that case many times myself (& yes, I write "stream of consciousness" most times too, no edits) - & please - no "grammar/spelling nazi" b.s. for "corrections"...)

APK

P.S.=> This is part of what's biting Google in the behind using it on ANDROID imo (their version of java in dalvik - right there alone, NOT working with what exists & has massive "eyes on the code" hopefully correcting flaws in its base & compilers) - "the new hotness" always comes out with what's many times already resolved in the older stuff turning the new into "old & busted" & what was busted + fixed LONG AGO in the older stuff... apk

Re:Not a big JAVA fan here but... apk

[GodelEscherBlecch]

No, you must not be a big Java fan (or person who is the least bit aware of how it works or what it is good for). You do realize that it is not the language that would be patched but a commonly used open source project, right? And that such projects can be written in any language to have vulnerabilities? Hmm...how many vulnerability-inducing DLLs/SOs have ever been created vs .jars? Which one is more likely to allow arbitrary code execution vs. just offering somebody the ability to destabilize the application itself? Yeah, we really need to 'patch' that Java menace. And, to do a compare/contrast of Java / C++ based on syntax and the basics of object allocation just severely misses the point of why you would use one or the other.

Not a big JAVA fan here, but... apk

See subject: At least this was caught to be patched. That's the important thing (hopefully before it was or can be misused maliciously)...

I code in it - but I don't *REALLY* like it. Not so much the code, it's close enough to C++ for me to be @ home with it. It's more the promises made about it (yes, it does do garbage collecting cleanup vs. having to potentially "delint" C or C++ code on new-malloc/delete - to dispose of memory or object references) but it's more the whole runtime slowup that bugged me... sure, it's nice to have that "crutch" to support you, but the runtime speed hits overheads always bothered me. Why?

That doesn't HAVE to be there IF/WHEN you do it yourself, manually, in code.

I have a job offer in fact for JAVA coding for a BIG finanicial concern in my area I've done contract work for before, but I've turned away from it for these reasons (I only work part-time nowadays is why too: Semi-retired): I don't want to be responsible for OR be involved with something that has a faulty trackrecord where big money is involved...

* Feel free to correct me if/when I made any mistakes here, I haven't had my coffee yet today... I don't express myself well & miss things in that case many times myself (& yes, I write "stream of consciousness" most times too, no edits) - & please - no "grammar/spelling nazi" b.s. for "corrections"...)

APK

P.S.=> This is part of what's biting Google in the behind using it on ANDROID imo (their version of java in dalvik - right there alone, NOT working with what exists & has massive "eyes on the code" hopefully correcting flaws in its base & compilers) - "the new hotness" always comes out with what's many times already resolved in the older stuff turning the new into "old & busted" & what was busted + fixed LONG AGO in the older stuff... apk

This is a very cook exploit

I took the time to read up on how it works and write up an explanation of how it works for people who aren't Java programmers.

Why? Because we can get our VB programmers...

to write java code without too much damage. Getting them to write C++, not a chance.

Plus for a lot of stuff it's fast enough.

apache commons

[melmut]

"Commons"? Fortunately, not universal. Naming a library "commons" does not make it part of the language. All those Apache Commons libraries share one thing: they are mostly collections of anti-patterns. Stuff that can often be done better without dependencies, with real standard libraries (part of the platform) instead of collections of trees of mutually-incompatible libraries that look as written by a lazy first-year student. They feature null checks that make it obvious that the lazy programmer that use them consider null and empty as equivalent, which should in itself raise red lights. At best, they reinvent the wheel, quite often in a bad way. Those dependencies are something you won't find in my projects, and the first thing I remove from projects that I have to take over. Whoever depends on this deserved those things. I'd need to read TFA more extensively, but is there any bug report open for the concerned app servers?

Re:apache commons

[prunus.avium]

Sure, but the list of affected web apps is impressive.

WebLogic, WebSphere, JBoss, Jenkins, OpenNMS

The trouble comes from the fact that it looks like using any part of the Commons libs will pull in this vulnerability and the Apache devs are basically saying "don't allow serialised object to come in from the network." but that seriously hinders the usability of a web app.

And as others have pointed out, if you use a serialized object in the cookies - say a state cookie - the vulnerability can be invoked before the user input is touched.

Re:apache commons

Actually apache-commons libraries are super helpful. They contain a lot of things that don't exist in the standard library but that are really very useful. You want a map with LRU semantics? Commons-collections has one, so you don't need to roll your own. Yes, it's like 50 lines or nicely-documented code, but that's 50 fewer lines of code you have to maintain.

Saying that commons is useless is like telling C++ programmers that Boost and STL are useless because you can build everything you need with the base language.

Have fun rolling your own Multimap.

[Rujiel]

There are a lot of reasons to use apache commons beyond checking if a string is empty.

Re:Have fun rolling your own Multimap.

[Gr8Apes]

And there are a lot more reasons to avoid including them.

Apache Commons Collections 3.x.

[Corporate+T00l]

It was pretty darn hard to parse that article to understand what library the author was talking about, but after some research, the issue seems to be a vulnerability in the Apache Commons Collections library.

I don't understand why the OP calls it "Java commons" or why the author of the article goes out of his way to not mention the name "Apache", using it only when copying and pasting code lines but never stating it in prose. Sure, there are lots of people who may have Java, but if the security vulnerability is of the magnitude that is claimed, properly identifying where it is located would be the logical first step.

There is a somewhat better article at InfoQ.com that parses out the original article and describes it more clearly.

Re:Apache Commons Collections 3.x.

[prunus.avium]

I don't understand why the OP calls it "Java commons"...

Probably because the path where the web applications keep the jar file is .../WEB-INF/lib/commons-collections-3.2.1.jar. No mention of Apache in that path.

Insecure Java has low self-esteem issues?

Is Java moping around the house in pajamas all day with insecurities and low self-esteem?

Do you call Java and it doesn't respond or responds with a sigh and a "I really don't feel like I can do it" error message?

CVE number?

[KlaatuVarataNiktu]

CVE number or it didn't happen. https://en.wikipedia.org/wiki/...

Looking in the wrong place.

[purplie]

The real fault seems to be in classes like AnnotationInvocationHandler or PriorityQueue (both part of the Java library), whose readObject() methods trustingly call some methods on their child objects.

AnnotationInvocationHandler calls map.entrySet(); PriorityQueue calls compare(). You just make sure the child object executes malicious code when executing those methods. For the child object, you can find a utility class such as LazyMap (from Commons) that executes a function while calling entrySet(). The function can be another utility class that executes some method by reflection (e.g. a Runtime method). These utility classes are all over the place to support functional-style or config-as-code programming.

But I think the real fault lies in those classes that execute child code during readObject(). It doesn't lie in the Commons classes that are used for the children.