Another Java Cybersecurity Mess

Foxglovesecurity has found a problem in Java(From 11/6):

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

 

And the interesting thing is that Oracle is trying to sell their products and services to everyone as cloud Applications.

oracleweblogsuite

What you don’t know is that there is no patch for a Java Library containing a vulnerability that has code to hack it for 9 months now. Any commercial products that have a connection to this Java library: Weblogic, Websphere,  JBoss, Jenkins, OpenNMS, and potentially your application with Java functions.

It looks like unserialized vulnerabilities are not an ‘easy’ or simple method to uncover and understand fully. But ‘simply’ it takes binary data and converts it to something that you can use. If you want to get into the details of what is exactly happening in Java’s unserialized vulnerability.

To me it means that if your programmer wrote a Weblogic, Websphere, JBoss, Jenkins, or OpenVMS application   Unless they avoided the following:

Java LOVES sending serialized objects all over the place. For example:

  • In HTTP requests – Parameters, ViewState, Cookies, you name it.
  • RMI – The extensively used Java RMI protocol is 100% based on serialization
  • RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects
  • JMX – Again, relies on serialized objects being shot over the wire
  • Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come

 

So if the above happens then a remote code execution can occur as

Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff) gave a talk on 1/28/15 at AppSecCali to the “commons collection library”  Here are the slides from this presentation:  http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles

So the short story is its a complex Java vulnerability and if your website or other network application(s) are running Java with the common collection library you are susceptible to criminal hackers (only if your programmers used the common library in a specific manner).

This vulnerability also has a CVSS of a 10.0.

And as foxglovesecurity states this vulnerability does not have a sexy name (like POODLE, or Shell Shock.

 

This is why sometimes you have to let others check your website for potential vulnerabilities.

Contact Us for help with testing your websites.

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.