Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability In Java Commons Library Leads To Hundreds of Insecure Applications (foxglovesecurity.com)

Posted by Soulskill on from the devil-is-in-the-dependencies dept.

An anonymous reader writes: Stephen Breen from the FoxGlove Security team is calling attention to what he calls the "most underrated, underhyped vulnerability of 2015." It's a remote code execution exploit that affects the latest versions of WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software. How? An extremely common Java library. He says, "No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released over 9 months ago, none of the products mentioned in the title of the blog post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications.

4 of 115 comments (clear)

  1. Too much hype for what it actually is by Kartu · · Score: 5, Informative

    Your app needs to be accepting Serialized Java objects as input.
    Yay.
    Never seen that used in any project I was part of and if that would happen security concerns alarm would ring in pretty much any competent team.

    1. Re:Too much hype for what it actually is by Anonymous Coward · · Score: 5, Informative

      Your app needs to be accepting Serialized Java objects as input.

      Agreed - this is not a "Java" security vulnerability - this is working as designed. Its the responsibility of the application owner to either:
      1) Reject any user input of serialized objects
      2) Accept said user input and sanitize it.

      The applications they found the exploits against is the more interesting part of the story - as they are not sanitizing said input.

      For WebSphere Application Server - it looks like this was fixed back in April - though I'd have to contact IBM to be certain.
      http://www-01.ibm.com/support/...

      Other vendors I'm not as familiar with - but I would hope took similar actions.

  2. Not a vulnerability in Java Commons Library by artbristol · · Score: 5, Informative

    The linked article takes a lot of words to get to the point, which is that "WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software." will deserialize arbitrary user-supplied Java objects. To exploit that, you just provide a serialized class from commons-collections which (by design) executes the class's code during its deserialization process. If your application doesn't whitelist the classes it deserializes from an untrusted user, you deserve everything you get.

    1. Re:Not a vulnerability in Java Commons Library by Anonymous Coward · · Score: 4, Informative

      Ehm, Java serialization doesn't work like that. There is no code going over the wire. Just references to classes that the attacker hopes are already present on your classpath, and the data to fill them with. It happens that some classes that you might already have in your classpath are dangerous when used in this way.