Foxglovesecurity has found a problem in Java(From 11/6):
And the interesting thing is that Oracle is trying to sell their products and services to everyone as cloud Applications.
What you don’t know is that there is no patch for a Java Library containing a vulnerability that has code to hack it for 9 months now. Any commercial products that have a connection to this Java library: Weblogic, Websphere, JBoss, Jenkins, OpenNMS, and potentially your application with Java functions.
It looks like unserialized vulnerabilities are not an ‘easy’ or simple method to uncover and understand fully. But ‘simply’ it takes binary data and converts it to something that you can use. If you want to get into the details of what is exactly happening in Java’s unserialized vulnerability.
To me it means that if your programmer wrote a Weblogic, Websphere, JBoss, Jenkins, or OpenVMS application Unless they avoided the following:
Java LOVES sending serialized objects all over the place. For example:
- In HTTP requests – Parameters, ViewState, Cookies, you name it.
- RMI – The extensively used Java RMI protocol is 100% based on serialization
- RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects
- JMX – Again, relies on serialized objects being shot over the wire
- Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come
So if the above happens then a remote code execution can occur as
Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff) gave a talk on 1/28/15 at AppSecCali to the “commons collection library” Here are the slides from this presentation: http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
So the short story is its a complex Java vulnerability and if your website or other network application(s) are running Java with the common collection library you are susceptible to criminal hackers (only if your programmers used the common library in a specific manner).
This vulnerability also has a CVSS of a 10.0.
And as foxglovesecurity states this vulnerability does not have a sexy name (like POODLE, or Shell Shock.
This is why sometimes you have to let others check your website for potential vulnerabilities.
Contact Us for help with testing your websites.