Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: ICYMI: Widespread Unserialize Vulnerability in Java SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ICYMI: Widespread Unserialize Vulnerability in Java

On Friday, a blog post from Fox Glove Security was posted that details a widespread Java unserialize vulnerability that affects all the major flavors of middleware (WebSphere, WebLogic, et al).  There is a lot of great details, including exploitation instructions for pentesters, in the post so go take a look. It didn't get much press because admittedly it's complicated to explain.  It also doesn't have a logo.

In this case, they describe how to use this class of vulnerabilities for remote code execution of Java-based web applications.  This vulnerability is present in the "common-collections" library in Java.  As you can imagine from the name, this has a huge surface area of attack of applications all over including those that are custom-coded that use those class files.

The exploits demonstrated have to be initiated from the local network, but in poorly configured environments this may lead to truly remote attacks being successful.

The short version is that many programming languages (in this case Java), accept serialized input from users and convert it to unserialized data.  If that data is not otherwise sanitized (or ideally, never take untrusted input in the first place, at least for unauthenticated users).  It's the oldie but goodie of unsanitized input with a mix of OWASP A9 of Components with Known Vulnerabilities.

At present, these does not appear to be a patch for the vulnerability but the blog post above does layout a very ugly mitigation that can be deployed.

P.S. From the blog, "No one gave it a fancy name, there were no press releases, nobody called XXXXXX (insert firm I shouldn't mock here) to come put out the fires.". Well played, good sir, well played.

John Bambenek
bambenek\at\ gmail /dot/ com
Fidelis Cybersecurity


262 Posts
ISC Handler
Nov 9th 2015
Mass scanner for the Java serialize bug

Sign Up for Free or Log In to start participating in the conversation!