JAVA's War: One impact of the extensive Java toolset RCE vulnerability-vulnerability warning-the black bar safety net

2015-11-12T00:00:00
ID MYHACK58:62201568898
Type myhack58
Reporter 佚名
Modified 2015-11-12T00:00:00

Description

In January, security researcher Gabriel Lawrence and Chris Frohoff published a impact range is quite wide of the Apache Commons tool set for remote code execution RCE)vulnerability, due to Apache Commons tool set is almost the JAVA technology platform in the application of the most extensive library of tools, and therefore affect almost throughout the JAVA camp. ! However, due to the vulnerability of the very profound and difficult to understand, despite the researchers best efforts to call people to attention, in vulnerability disclosure after almost a year the problem still does not get widespread attention. Recently, the well-known blogger Matthias Kaiser in the program to revisit the issue, and let Foxglove security company of Steve Breen through a quick demo to let know about the RCE vulnerability harmful. In the demo, the Breen by the Apache Commons tool set RCE vulnerability quick to crack a number of applications, including WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS, the application, these applications are a large number of calls to a Commons set of tools by remote code execution is possible for these applications to initiate a remote attack. Although Apache Commons tool set is not Java one of the core, but due to JAVA need by calling the Apache Commons tool set and other Java libraries to the“object of the anti-line of the processing object deserialization operations”, can not be used as a third-party tool to treat, since in Java serialization and anti-series line of data is the most commonly used instance of the Apache Commons tool set is almost the JAVA technology platform in the application of the most extensive library of tools, and therefore the impact would be very broad. Latest Apache Commons tool set library remains 2 0 1 3 year 1 1 month posted 4. 0 version, the Breen as the vulnerability provides a relatively simple repair, but unfortunately not as a perfect solution. Breen also recognized their fix a bit shabby, I hope that the vulnerability can cause more people's attention. Vulnerability details: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ http://developers.slashdot.org/story/15/11/08/0346258/vulnerability-in-java-commons-library-leads-to-hundreds-of-insecure-applications EXP: GitHub https://github.com/foxglovesec