Background description
Tomcat is by Apache Software Foundation subordinate’s Jakarta a project development Servlet vessel, in accordance with Sun Microsystems to provide the technical specifications, the realization of the Servlet and JavaServer Page(JSP)support, and provides as aWeb serversome unique functions, like Tomcat managed and controls the platform, secure domain management and the Tomcat valve and so on. Tomcat is very popular with the majority of programmers like it, because it runs out system resources occupied by small, scalable, support load balancing and Mail Service, etc. the development of the application system commonly used functions.
Vulnerability description
Oracle fixes JmxRemoteLifecycleListener deserialization Vulnerability(CVE-2016-3427)。 Tomcat also uses the JmxRemoteLifecycleListener this listener,but the Tomcat did not timely upgrade, so there is this remote code execution vulnerability.
Affected version:
Apache Tomcat 9.0.0. M1 to 9.0.0. M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0. RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
The impact of the scene:
Zabbix 2.0 has been the JMX monitoring added to the system, itself, is no longer dependent on third-party tools. This is on a Tomcat application and other Java application monitoring easier. Herein, a simple description Zabbix use JMX to monitor Tomcat process.
Vulnerability verification code(POC):
Tested version: tomcat version 8. 0. 36
conf/server. xml to increase the configuration, add the catalina-jmx-remote. jar package, modify the catalina configuration file
! [](/Article/UploadPic/2016-12/2016123165437471. png? www. myhack58. com)
! [](/Article/UploadPic/2016-12/2016123165437789. png? www. myhack58. com)
F:\HackTools\EXP>java-cp ysoserial-master-v0.0.4.jar ysoserial. exploit. RMIRegistryExploit localhost 10001 Groovy1 calc.exe
! [](/Article/UploadPic/2016-12/2016123165437478. png? www. myhack58. com)
This vulnerability, there are other use posture, the harm is huge, so to change the JMX password authentication is very necessary!
Patch code:
Diff of /tomcat/trunk/webapps/docs/changelog.xml
!
Parent Directory |
!
Revision Log |
!
Patch
-– tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:28 1767643
+++ tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:36 1767644
@@ -97,6 +97,10 @@
StoreConfig component includes the executor name when writing the
The Connector configuration. (markt)
+
+ When configuring the JMX remote listener, specify the allowed types for
+ the credentials. (markt)
+
/tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
!
Parent Directory |
!
Revision Log |
!
Patch
-– tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2016/11/02 11:57:28 1767643