Summary:
This advisory discloses a critical severity security vulnerability
that was introduced in version 2.2 of Bamboo. Versions of Bamboo
starting with 2.2 before 5.8.5 (the fixed version for 5.8.x) and from
5.9.0 before 5.9.7 (the fixed version for 5.9.x) are vulnerable.
Atlassian Cloud instances have already been upgraded to a version of
Bamboo which does not have the issue described on this page.
Customers who have upgraded Bamboo to version 5.8.5 or version 5.9.7
are not affected.
Customers who have downloaded and installed Bamboo >= 2.2 less than
5.8.5 (the fixed version for 5.8.x):
Please upgrade your Bamboo installations immediately to fix this
vulnerability.
Customers who have downloaded and installed Bamboo >= 5.9.0 less than
5.9.7 (the fixed version for 5.9.x):
Please upgrade your Bamboo installations immediately to fix this
vulnerability.
Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank a severity as critical, high, moderate, or
low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment.
Description:
Bamboo had a resource that deserialised arbitrary user input without
restriction. Attackers can use this vulnerability to execute Java code
of their choice on systems that have a vulnerable version of Bamboo.
To exploit this issue, attackers need to be able to access the Bamboo
web interface.
All versions of Bamboo from 2.2 before 5.8.5 (the fixed version for
5.8.x) and from 5.9.0 before 5.9.7 (the fixed version for 5.9.x) are
affected by this vulnerability. This issue can be tracked here:
https://jira.atlassian.com/browse/BAM-16439
Acknowledgements:
We would like to credit Matthias Kaiser of Code White for reporting
this issue to Atlassian.
Fix:
We have taken the follow steps to address this issue:
1. Released Bamboo version 5.9.7 that contains a fix for this issue.
2. Released Bamboo version 5.8.5 that contains a fix for this issue.
Remediation:
Upgrade Bamboo to version 5.9.7 or higher.
If you are running Bamboo 5.8.x and cannot upgrade to bamboo 5.9.X,
then upgrade to version 5.8.5.
For a full description of the latest version of Bamboo, see the
release notes found at
https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You
can download the latest version of Bamboo from the download centre
found at https://www.atlassian.com/software/bamboo/download.
Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/ .
--
David Black / Security Engineer.
{"id": "SECURITYVULNS:DOC:32599", "bulletinFamily": "software", "title": "CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution", "description": "\r\n\r\nNote: the current version of this advisory can be found at\r\nhttps://confluence.atlassian.com/x/Hw7RLg .\r\n\r\n\r\nCVE ID: CVE-2015-6576\r\nProduct: Bamboo.\r\nAffected Bamboo product versions:\r\n * 2.2 <= version < 5.8.5\r\n * 5.9.0 <= version < 5.9.7\r\n\r\nSummary:\r\nThis advisory discloses a critical severity security vulnerability\r\nthat was introduced in version 2.2 of Bamboo. Versions of Bamboo\r\nstarting with 2.2 before 5.8.5 (the fixed version for 5.8.x) and from\r\n5.9.0 before 5.9.7 (the fixed version for 5.9.x) are vulnerable.\r\n\r\nAtlassian Cloud instances have already been upgraded to a version of\r\nBamboo which does not have the issue described on this page.\r\n\r\nCustomers who have upgraded Bamboo to version 5.8.5 or version 5.9.7\r\nare not affected.\r\n\r\nCustomers who have downloaded and installed Bamboo >= 2.2 less than\r\n5.8.5 (the fixed version for 5.8.x):\r\n Please upgrade your Bamboo installations immediately to fix this\r\nvulnerability.\r\n\r\nCustomers who have downloaded and installed Bamboo >= 5.9.0 less than\r\n5.9.7 (the fixed version for 5.9.x):\r\n Please upgrade your Bamboo installations immediately to fix this\r\nvulnerability.\r\n\r\nSeverity:\r\nAtlassian rates the severity level of this vulnerability as critical,\r\naccording to the scale published in our Atlassian severity levels. The\r\nscale allows us to rank a severity as critical, high, moderate, or\r\nlow.\r\nThis is an independent assessment and you should evaluate its\r\napplicability to your own IT environment.\r\n\r\nDescription:\r\nBamboo had a resource that deserialised arbitrary user input without\r\nrestriction. Attackers can use this vulnerability to execute Java code\r\nof their choice on systems that have a vulnerable version of Bamboo.\r\nTo exploit this issue, attackers need to be able to access the Bamboo\r\nweb interface.\r\n\r\nAll versions of Bamboo from 2.2 before 5.8.5 (the fixed version for\r\n5.8.x) and from 5.9.0 before 5.9.7 (the fixed version for 5.9.x) are\r\naffected by this vulnerability. This issue can be tracked here:\r\nhttps://jira.atlassian.com/browse/BAM-16439\r\n\r\nAcknowledgements:\r\nWe would like to credit Matthias Kaiser of Code White for reporting\r\nthis issue to Atlassian.\r\n\r\nFix:\r\nWe have taken the follow steps to address this issue:\r\n1. Released Bamboo version 5.9.7 that contains a fix for this issue.\r\n2. Released Bamboo version 5.8.5 that contains a fix for this issue.\r\n\r\nRemediation:\r\nUpgrade Bamboo to version 5.9.7 or higher.\r\n\r\nIf you are running Bamboo 5.8.x and cannot upgrade to bamboo 5.9.X,\r\nthen upgrade to version 5.8.5.\r\n\r\nFor a full description of the latest version of Bamboo, see the\r\nrelease notes found at\r\nhttps://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You\r\ncan download the latest version of Bamboo from the download centre\r\nfound at https://www.atlassian.com/software/bamboo/download.\r\n\r\n\r\nSupport:\r\nIf you have questions or concerns regarding this advisory, please\r\nraise a support request at https://support.atlassian.com/ .\r\n\r\n--\r\nDavid Black / Security Engineer.\r\n\r\n", "published": "2015-10-26T00:00:00", "modified": "2015-10-26T00:00:00", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32599", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2015-6576"], "type": "securityvulns", "lastseen": "2018-08-31T11:11:02", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "22b9a88a342ec1b60e51408154ed6fb2"}, {"key": "cvss", "hash": "9acfc3ecd06539a3534549fd05dfad8e"}, {"key": "description", "hash": "fcf7be817a2b2e141e7aab6304d7ca33"}, {"key": "href", "hash": "fe404a41be4bb78c61857ef1ff10fcd2"}, {"key": "modified", "hash": "e19fc1de2ba90872a16cbe6fef116c0c"}, {"key": "published", "hash": "e19fc1de2ba90872a16cbe6fef116c0c"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "37022bff5a431d2ce6c3023f9809c7a0"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "60feda0717540004aba9a23e95b9206fa9504ed790dbc251ca33da6c40e6724d", "viewCount": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:11:02"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-6576"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-16439"]}, {"type": "nessus", "idList": ["BAMBOO_5_8_5.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113012"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14750"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}], "modified": "2018-08-31T11:11:02"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2018-10-10T11:05:52", "bulletinFamily": "NVD", "description": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.", "modified": "2018-10-09T15:57:53", "published": "2017-10-02T21:29:00", "id": "CVE-2015-6576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6576", "title": "CVE-2015-6576", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "atlassian": [{"lastseen": "2018-08-31T02:43:12", "bulletinFamily": "software", "description": "*Bamboo* had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of *Bamboo*. To exploit this issue, attackers need to be able to access the *Bamboo* web interface. \r\n\r\n\r\n*Affected versions:*\r\n* All versions of *Bamboo* from 2.2 before 5.8.5 (the fixed version for 5.8.x) and from 5.9.0 before 5.9.7 (the fixed version for 5.9.x) are affected by this vulnerability.\r\n\r\n\r\n*Fix:*\r\n* Bamboo 5.9.7 is available for download from https://www.atlassian.com/software/bamboo/download.\r\n* Bamboo 5.8.5 is available for download from https://www.atlassian.com/software/bamboo/download-archives.\r\n\r\n\\\\\r\n*Acknowledgements:*\r\nWe would like to credit Matthias Kaiser of [Code White|http://www.code-white.com/] for reporting this issue to us.\r\n \r\n\\\\\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/x/Hw7RLg].", "modified": "2016-12-01T01:02:06", "published": "2015-10-12T04:26:12", "id": "ATLASSIAN:BAM-16439", "href": "https://jira.atlassian.com/browse/BAM-16439", "title": "CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability", "type": "atlassian", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:22:40", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the instance of\nAtlassian Bamboo running on the remote host is version 2.2.x prior to\n5.8.5 or 5.9.x prior to 5.9.7. It is, therefore, affected by an\nunspecified resource deserialization flaw due to improper validation\nof user-supplied input. An unauthenticated, remote attacker can\nexploit this to execute arbitrary Java code. Note that the attacker\nmust be able to access the Bamboo web interface.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "modified": "2018-06-13T00:00:00", "published": "2015-11-04T00:00:00", "id": "BAMBOO_5_8_5.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86721", "title": "Atlassian Bamboo 2.2.x < 5.8.5 / 5.9.x < 5.9.7 Unspecified Resource Deserialization RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86721);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-2015-6576\");\n script_bugtraq_id(77292);\n\n script_name(english:\"Atlassian Bamboo 2.2.x < 5.8.5 / 5.9.x < 5.9.7 Unspecified Resource Deserialization RCE\");\n script_summary(english:\"Checks the version of Atlassian Bamboo.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of\nAtlassian Bamboo running on the remote host is version 2.2.x prior to\n5.8.5 or 5.9.x prior to 5.9.7. It is, therefore, affected by an\nunspecified resource deserialization flaw due to improper validation\nof user-supplied input. An unauthenticated, remote attacker can\nexploit this to execute arbitrary Java code. Note that the attacker\nmust be able to access the Bamboo web interface.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2015-10-21-785452575.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70364dac\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/BAM-16439\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Bamboo version 5.8.5 / 5.9.7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/04\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:bamboo\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"bamboo_detect.nbin\");\n script_require_ports(\"Services/www\", 8085);\n script_require_keys(\"installed_sw/bamboo\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Bamboo\";\napp_name = tolower(app);\n\nget_install_count(app_name:app_name, exit_if_zero:TRUE);\n\nport = get_http_port(default:8085);\n\ninstall = get_single_install(\n app_name : app_name,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\n\ninstall_url = build_url(port:port, qs:dir);\nvuln = FALSE;\n\nif (version =~ \"^5\\.[89]$\")\n audit(AUDIT_VER_NOT_GRANULAR, app, port, version);\n\nif (version =~ \"^(2\\.[2-9]|[34]\\.|5\\.[0-7]($|\\.|[^0-9]))\")\n{\n vuln = TRUE;\n fix_ver = \"5.8.5 / 5.9.7\";\n}\nelse if (version =~ \"^5\\.8\\.[0-4]($|[^0-9])\")\n{\n vuln = TRUE;\n fix_ver = \"5.8.5\";\n}\nelse if (version =~ \"^5\\.9\\.[0-6]($|[^0-9])\")\n{\n vuln = TRUE;\n fix_ver = \"5.9.7\";\n}\n\nif (vuln)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_ver + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-10-22T16:35:01", "bulletinFamily": "scanner", "description": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.", "modified": "2018-10-12T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310113012", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113012", "title": "Atlassian Bamboo Remote Code Execution", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_rce_vuln1.nasl 11863 2018-10-12 09:42:02Z mmartin $\n#\n# Atlassian Bamboo Remote Code Execution\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113012\");\n script_version(\"$Revision: 11863 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 11:42:02 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 10:01:18 +0200 (Wed, 11 Oct 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2015-6576\");\n\n script_name(\"Atlassian Bamboo Remote Code Execution\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.\");\n script_tag(name:\"vuldetect\", value:\"Checks if the vulnerable version is present on the host.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow the attacker to execute arbitrary Java code on the host and possibly gain control over it.\");\n script_tag(name:\"affected\", value:\"Atlassian Bamboo versions 2.2 through 5.8.4 and 5.9.x before 5.9.7\");\n script_tag(name:\"solution\", value:\"Update to version 5.8.5 or version 5.9.7 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-16439\");\n script_xref(name:\"URL\", value:\"https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2015-10-21-785452575.html\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( !port = get_app_port( cpe: CPE ) ) {\n exit( 0 );\n}\n\nif( !version = get_app_version( cpe: CPE, port: port ) ) {\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"2.2\", test_version2: \"5.8.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.8.5\" );\n security_message( port: port, data: report );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"5.9.0\", test_version2: \"5.9.6\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.9.7\" );\n security_message( port: port, data: report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2015-10-26T00:00:00", "published": "2015-10-26T00:00:00", "id": "SECURITYVULNS:VULN:14750", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14750", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "bulletinFamily": "blog", "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "modified": "2018-01-24T17:45:08", "published": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
