You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by Lukas Kohl <lu...@ergodirekt.de> on 2015/11/26 13:37:16 UTC
Unsecure deserialization of Java Objects
Hello,
A recent analysis by Foxglove Security has confirmed multiple zero day,
remotely executable exploits, for Java applications that deserialize
objects from untrusted network sources and use libraries such as Apache
Commons Collections, Groovy or Spring.
see -->
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
As Apache Commons Collections is included in OpenEJB, we need to know if
it is affected by this vulnerability.
If yes, please let us know what is your recommendation to prevent damage,
and when will be a patch available.
P.s.: Sorry for double post, but I am not sure if my first Mail reached
the Mailinglist (missing subscription)
Thanks!
Kind Regards
Lukas
www.ergodirekt.de
Blog: http://blog.ergodirekt.de
Facebook: www.facebook.com/ERGODirekt
Google+: www.google.com/+ergodirekt
Twitter: www.twitter.com/ERGODirekt
YouTube: www.youtube.com/ERGODirekt
_______________________
ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · UST-ID-Nr. DE159593454
ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. DE159593438
ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · UST-ID-Nr. DE159593446
Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian Diedrich
Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg Stoffels · Sitz: Fürth
Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
Re: Unsecure deserialization of Java Objects
Posted by Romain Manni-Bucau <rm...@gmail.com>.
the fix uses hardcoded blacklist of unserializable classes and allows to
configure a whitelist of unserializable classes (this last one being the
only really secured case but the other one is the best we can do and
already makes it harder to exploit the issue).
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-11-27 15:17 GMT+01:00 Lars-Fredrik Smedberg <it...@gmail.com>:
> Hi
>
> @Romain, I would be interested to see how such a fix is implemented. Can
> you give pointers to look at some code?
>
> Thanks
>
> Regards
> LF
>
> On Fri, Nov 27, 2015 at 1:53 PM, Romain Manni-Bucau <rmannibucau@gmail.com
> >
> wrote:
>
> > "one place" = one feature in tomee codebase, all the projects I
> mentionned
> > can use it, here a small overview:
> >
> > - jcs: depends your plugins (no risk by default ie in in-memory mode)
> > - openjpa: depend if you serialize openjpa instances (if so you probably
> > have other troubles you are aware or not ;), see struberg slides for
> > details on this)
> > - batchee: you can use this code but it is not used remotely normally so
> no
> > real risk
> > - openwebbeans: depends if you use serializable scopes and how (no risk
> > with default setup)
> > - activemq: risk using a remote broker
> > - tomee: medium risk using ejbd protocol
> >
> >
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-11-27 13:48 GMT+01:00 Lukas Kohl <lu...@ergodirekt.de>:
> >
> > > Hello Romain,
> > > thank your very much, this was quite fast !
> > > You mentioned, that there is only one Dangerous place. Which place in
> > > OpenEJB is this ?
> > >
> > > I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I
> safe
> > ?
> > >
> > >
> > > Kind regards,
> > > Lukas
> > >
> > >
> > >
> > > Von: Romain Manni-Bucau <rm...@gmail.com>
> > > An: "users@tomee.apache.org" <us...@tomee.apache.org>
> > > Datum: 27.11.2015 13:16
> > > Betreff: [SPAM] Re: Unsecure deserialization of Java Objects
> > >
> > >
> > >
> > > Fixed in jcs, batchee, owb, tomee, openjpa
> > > AMQ already had the fix
> > > opened an issue for myfaces
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > <http://www.tomitribe.com>
> > >
> > > 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> > >
> > > > You can run the code you want more or less. Openjpa got the same
> issue
> > > and
> > > > fixed it months ago.
> > > >
> > > > Ill add the filter today
> > > > Le 27 nov. 2015 12:00, "Andy" <an...@gmx.de> a écrit :
> > > >
> > > >> What is the dangerous option, so we can inform people of the danger?
> > > >>
> > > >> Andy.
> > > >>
> > > >> --
> > > >> Andy Gumbrecht
> > > >> https://twitter.com/AndyGeeDe
> > > >>
> > > >>
> > >
> > >
> > >
> > >
> > >
> > > www.ergodirekt.de
> > >
> > > Blog: http://blog.ergodirekt.de
> > > Facebook: www.facebook.com/ERGODirekt
> > > Google+: www.google.com/+ergodirekt
> > > Twitter: www.twitter.com/ERGODirekt
> > > YouTube: www.youtube.com/ERGODirekt
> > > _______________________
> > >
> > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > > UST-ID-Nr. DE159593454
> > > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > > DE159593438
> > > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > > UST-ID-Nr. DE159593446
> > > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG
> und
> > > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG:
> Christian
> > > Diedrich
> > > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr.
> Jörg
> > > Stoffels · Sitz: Fürth
> > > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202
> 70
> > > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
> > >
> >
>
>
>
> --
> Med vänlig hälsning / Best regards
>
> Lars-Fredrik Smedberg
>
> STATEMENT OF CONFIDENTIALITY:
> The information contained in this electronic message and any
> attachments to this message are intended for the exclusive use of the
> address(es) and may contain confidential or privileged information. If
> you are not the intended recipient, please notify Lars-Fredrik Smedberg
> immediately at itsmeden@gmail.com, and destroy all copies of this
> message and any attachments.
>
Re: Unsecure deserialization of Java Objects
Posted by Lars-Fredrik Smedberg <it...@gmail.com>.
Hi
@Romain, I would be interested to see how such a fix is implemented. Can
you give pointers to look at some code?
Thanks
Regards
LF
On Fri, Nov 27, 2015 at 1:53 PM, Romain Manni-Bucau <rm...@gmail.com>
wrote:
> "one place" = one feature in tomee codebase, all the projects I mentionned
> can use it, here a small overview:
>
> - jcs: depends your plugins (no risk by default ie in in-memory mode)
> - openjpa: depend if you serialize openjpa instances (if so you probably
> have other troubles you are aware or not ;), see struberg slides for
> details on this)
> - batchee: you can use this code but it is not used remotely normally so no
> real risk
> - openwebbeans: depends if you use serializable scopes and how (no risk
> with default setup)
> - activemq: risk using a remote broker
> - tomee: medium risk using ejbd protocol
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-11-27 13:48 GMT+01:00 Lukas Kohl <lu...@ergodirekt.de>:
>
> > Hello Romain,
> > thank your very much, this was quite fast !
> > You mentioned, that there is only one Dangerous place. Which place in
> > OpenEJB is this ?
> >
> > I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe
> ?
> >
> >
> > Kind regards,
> > Lukas
> >
> >
> >
> > Von: Romain Manni-Bucau <rm...@gmail.com>
> > An: "users@tomee.apache.org" <us...@tomee.apache.org>
> > Datum: 27.11.2015 13:16
> > Betreff: [SPAM] Re: Unsecure deserialization of Java Objects
> >
> >
> >
> > Fixed in jcs, batchee, owb, tomee, openjpa
> > AMQ already had the fix
> > opened an issue for myfaces
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> >
> > > You can run the code you want more or less. Openjpa got the same issue
> > and
> > > fixed it months ago.
> > >
> > > Ill add the filter today
> > > Le 27 nov. 2015 12:00, "Andy" <an...@gmx.de> a écrit :
> > >
> > >> What is the dangerous option, so we can inform people of the danger?
> > >>
> > >> Andy.
> > >>
> > >> --
> > >> Andy Gumbrecht
> > >> https://twitter.com/AndyGeeDe
> > >>
> > >>
> >
> >
> >
> >
> >
> > www.ergodirekt.de
> >
> > Blog: http://blog.ergodirekt.de
> > Facebook: www.facebook.com/ERGODirekt
> > Google+: www.google.com/+ergodirekt
> > Twitter: www.twitter.com/ERGODirekt
> > YouTube: www.youtube.com/ERGODirekt
> > _______________________
> >
> > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > UST-ID-Nr. DE159593454
> > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > DE159593438
> > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > UST-ID-Nr. DE159593446
> > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> > Diedrich
> > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> > Stoffels · Sitz: Fürth
> > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
> >
>
--
Med vänlig hälsning / Best regards
Lars-Fredrik Smedberg
STATEMENT OF CONFIDENTIALITY:
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of the
address(es) and may contain confidential or privileged information. If
you are not the intended recipient, please notify Lars-Fredrik Smedberg
immediately at itsmeden@gmail.com, and destroy all copies of this
message and any attachments.
Re: Unsecure deserialization of Java Objects
Posted by Andy <an...@gmx.de>.
Yep, that should be all non DMZ, unless you're crazy. So I guess we can
just post a warning people to be aware.
If we become aware of real DMZ issues within TomEE itself then we need
to post as much info on this as possible.
On 27/11/2015 13:53, Romain Manni-Bucau wrote:
> "one place" = one feature in tomee codebase, all the projects I mentionned
> can use it, here a small overview:
>
> - jcs: depends your plugins (no risk by default ie in in-memory mode)
> - openjpa: depend if you serialize openjpa instances (if so you probably
> have other troubles you are aware or not ;), see struberg slides for
> details on this)
> - batchee: you can use this code but it is not used remotely normally so no
> real risk
> - openwebbeans: depends if you use serializable scopes and how (no risk
> with default setup)
> - activemq: risk using a remote broker
> - tomee: medium risk using ejbd protocol
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-11-27 13:48 GMT+01:00 Lukas Kohl <lu...@ergodirekt.de>:
>
>> Hello Romain,
>> thank your very much, this was quite fast !
>> You mentioned, that there is only one Dangerous place. Which place in
>> OpenEJB is this ?
>>
>> I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ?
>>
>>
>> Kind regards,
>> Lukas
>>
>>
>>
>> Von: Romain Manni-Bucau <rm...@gmail.com>
>> An: "users@tomee.apache.org" <us...@tomee.apache.org>
>> Datum: 27.11.2015 13:16
>> Betreff: [SPAM] Re: Unsecure deserialization of Java Objects
>>
>>
>>
>> Fixed in jcs, batchee, owb, tomee, openjpa
>> AMQ already had the fix
>> opened an issue for myfaces
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>>
>>> You can run the code you want more or less. Openjpa got the same issue
>> and
>>> fixed it months ago.
>>>
>>> Ill add the filter today
>>> Le 27 nov. 2015 12:00, "Andy" <an...@gmx.de> a écrit :
>>>
>>>> What is the dangerous option, so we can inform people of the danger?
>>>>
>>>> Andy.
>>>>
>>>> --
>>>> Andy Gumbrecht
>>>> https://twitter.com/AndyGeeDe
>>>>
>>>>
>>
>>
>>
>>
>> www.ergodirekt.de
>>
>> Blog: http://blog.ergodirekt.de
>> Facebook: www.facebook.com/ERGODirekt
>> Google+: www.google.com/+ergodirekt
>> Twitter: www.twitter.com/ERGODirekt
>> YouTube: www.youtube.com/ERGODirekt
>> _______________________
>>
>> ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
>> UST-ID-Nr. DE159593454
>> ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
>> DE159593438
>> ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
>> UST-ID-Nr. DE159593446
>> Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
>> der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
>> Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
>> Diedrich
>> Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
>> Stoffels · Sitz: Fürth
>> Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
>> UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
>> IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
>>
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: Unsecure deserialization of Java Objects
Posted by Romain Manni-Bucau <rm...@gmail.com>.
"one place" = one feature in tomee codebase, all the projects I mentionned
can use it, here a small overview:
- jcs: depends your plugins (no risk by default ie in in-memory mode)
- openjpa: depend if you serialize openjpa instances (if so you probably
have other troubles you are aware or not ;), see struberg slides for
details on this)
- batchee: you can use this code but it is not used remotely normally so no
real risk
- openwebbeans: depends if you use serializable scopes and how (no risk
with default setup)
- activemq: risk using a remote broker
- tomee: medium risk using ejbd protocol
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-11-27 13:48 GMT+01:00 Lukas Kohl <lu...@ergodirekt.de>:
> Hello Romain,
> thank your very much, this was quite fast !
> You mentioned, that there is only one Dangerous place. Which place in
> OpenEJB is this ?
>
> I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ?
>
>
> Kind regards,
> Lukas
>
>
>
> Von: Romain Manni-Bucau <rm...@gmail.com>
> An: "users@tomee.apache.org" <us...@tomee.apache.org>
> Datum: 27.11.2015 13:16
> Betreff: [SPAM] Re: Unsecure deserialization of Java Objects
>
>
>
> Fixed in jcs, batchee, owb, tomee, openjpa
> AMQ already had the fix
> opened an issue for myfaces
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>
> > You can run the code you want more or less. Openjpa got the same issue
> and
> > fixed it months ago.
> >
> > Ill add the filter today
> > Le 27 nov. 2015 12:00, "Andy" <an...@gmx.de> a écrit :
> >
> >> What is the dangerous option, so we can inform people of the danger?
> >>
> >> Andy.
> >>
> >> --
> >> Andy Gumbrecht
> >> https://twitter.com/AndyGeeDe
> >>
> >>
>
>
>
>
>
> www.ergodirekt.de
>
> Blog: http://blog.ergodirekt.de
> Facebook: www.facebook.com/ERGODirekt
> Google+: www.google.com/+ergodirekt
> Twitter: www.twitter.com/ERGODirekt
> YouTube: www.youtube.com/ERGODirekt
> _______________________
>
> ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> UST-ID-Nr. DE159593454
> ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> DE159593438
> ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> UST-ID-Nr. DE159593446
> Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> Diedrich
> Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> Stoffels · Sitz: Fürth
> Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
>
Re: Unsecure deserialization of Java Objects
Posted by Lukas Kohl <lu...@ergodirekt.de>.
Hello Romain,
thank your very much, this was quite fast !
You mentioned, that there is only one Dangerous place. Which place in
OpenEJB is this ?
I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ?
Kind regards,
Lukas
Von: Romain Manni-Bucau <rm...@gmail.com>
An: "users@tomee.apache.org" <us...@tomee.apache.org>
Datum: 27.11.2015 13:16
Betreff: [SPAM] Re: Unsecure deserialization of Java Objects
Fixed in jcs, batchee, owb, tomee, openjpa
AMQ already had the fix
opened an issue for myfaces
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> You can run the code you want more or less. Openjpa got the same issue
and
> fixed it months ago.
>
> Ill add the filter today
> Le 27 nov. 2015 12:00, "Andy" <an...@gmx.de> a écrit :
>
>> What is the dangerous option, so we can inform people of the danger?
>>
>> Andy.
>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
www.ergodirekt.de
Blog: http://blog.ergodirekt.de
Facebook: www.facebook.com/ERGODirekt
Google+: www.google.com/+ergodirekt
Twitter: www.twitter.com/ERGODirekt
YouTube: www.youtube.com/ERGODirekt
_______________________
ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · UST-ID-Nr. DE159593454
ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. DE159593438
ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · UST-ID-Nr. DE159593446
Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian Diedrich
Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg Stoffels · Sitz: Fürth
Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
Re: Unsecure deserialization of Java Objects
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Fixed in jcs, batchee, owb, tomee, openjpa
AMQ already had the fix
opened an issue for myfaces
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> You can run the code you want more or less. Openjpa got the same issue and
> fixed it months ago.
>
> Ill add the filter today
> Le 27 nov. 2015 12:00, "Andy" <an...@gmx.de> a écrit :
>
>> What is the dangerous option, so we can inform people of the danger?
>>
>> Andy.
>>
>> --
>> Andy Gumbrecht
>> https://twitter.com/AndyGeeDe
>>
>>
Re: Unsecure deserialization of Java Objects
Posted by Romain Manni-Bucau <rm...@gmail.com>.
You can run the code you want more or less. Openjpa got the same issue and
fixed it months ago.
Ill add the filter today
Le 27 nov. 2015 12:00, "Andy" <an...@gmx.de> a écrit :
> What is the dangerous option, so we can inform people of the danger?
>
> Andy.
>
> --
> Andy Gumbrecht
> https://twitter.com/AndyGeeDe
>
>
Re: Unsecure deserialization of Java Objects
Posted by Andy <an...@gmx.de>.
What is the dangerous option, so we can inform people of the danger?
Andy.
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
Re: Unsecure deserialization of Java Objects
Posted by Romain Manni-Bucau <rm...@gmail.com>.
there are few places (mainly one actually) but it is optional so a default
instance shouldnt have any issue. That said you are right we need to fix
the embedded ejbd code.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-11-27 11:35 GMT+01:00 Stephen Connolly <stephen.alan.connolly@gmail.com
>:
> Hmmm,
>
> So does Tomee expose any RMI end-points or use Java serialization anywhere
> at all?
>
> The issue here is that if you deserialize *anything* and
> commons-collections ( / groovy / some other libs) is on the classpath that
> ObjectInputStream uses for class instantiation then somebody can deliver a
> payload that references those classes and compromises the running code.
>
> https://github.com/apache/openejb/search?utf8=%E2%9C%93&q=ObjectInputStream
>
> Says there are 22 usages of ObjectInputStream, none of those appear to be
> doing class filtering
>
>
> https://github.com/jenkinsci/remoting/blob/bfbcfb3282d98cda4de6c4f0deb9bcb03e3c5187/src/main/java/hudson/remoting/ObjectInputStreamEx.java#L54
>
> Shows one way of implementing class filtering.
>
> https://www.youtube.com/watch?v=OWwOJlOI1nU
>
> On 26 November 2015 at 19:29, Romain Manni-Bucau <rm...@gmail.com>
> wrote:
>
> > Tomee code itself doesnt use commons collections for deserialisation. The
> > issue is however not limited to commons collection but tomee is not known
> > to be affected.
> > Le 26 nov. 2015 13:37, "Lukas Kohl" <lu...@ergodirekt.de> a écrit :
> >
> > > Hello,
> > > A recent analysis by Foxglove Security has confirmed multiple zero day,
> > > remotely executable exploits, for Java applications that deserialize
> > > objects from untrusted network sources and use libraries such as Apache
> > > Commons Collections, Groovy or Spring.
> > > see -->
> > >
> > >
> >
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> > > As Apache Commons Collections is included in OpenEJB, we need to know
> if
> > > it is affected by this vulnerability.
> > > If yes, please let us know what is your recommendation to prevent
> damage,
> > > and when will be a patch available.
> > >
> > > P.s.: Sorry for double post, but I am not sure if my first Mail reached
> > > the Mailinglist (missing subscription)
> > >
> > > Thanks!
> > >
> > > Kind Regards
> > > Lukas
> > >
> > >
> > > www.ergodirekt.de
> > >
> > > Blog: http://blog.ergodirekt.de
> > > Facebook: www.facebook.com/ERGODirekt
> > > Google+: www.google.com/+ergodirekt
> > > Twitter: www.twitter.com/ERGODirekt
> > > YouTube: www.youtube.com/ERGODirekt
> > > _______________________
> > >
> > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > > UST-ID-Nr. DE159593454
> > > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > > DE159593438
> > > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > > UST-ID-Nr. DE159593446
> > > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG
> und
> > > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG:
> Christian
> > > Diedrich
> > > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr.
> Jörg
> > > Stoffels · Sitz: Fürth
> > > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202
> 70
> > > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
> >
>
Re: Unsecure deserialization of Java Objects
Posted by Stephen Connolly <st...@gmail.com>.
Hmmm,
So does Tomee expose any RMI end-points or use Java serialization anywhere
at all?
The issue here is that if you deserialize *anything* and
commons-collections ( / groovy / some other libs) is on the classpath that
ObjectInputStream uses for class instantiation then somebody can deliver a
payload that references those classes and compromises the running code.
https://github.com/apache/openejb/search?utf8=%E2%9C%93&q=ObjectInputStream
Says there are 22 usages of ObjectInputStream, none of those appear to be
doing class filtering
https://github.com/jenkinsci/remoting/blob/bfbcfb3282d98cda4de6c4f0deb9bcb03e3c5187/src/main/java/hudson/remoting/ObjectInputStreamEx.java#L54
Shows one way of implementing class filtering.
https://www.youtube.com/watch?v=OWwOJlOI1nU
On 26 November 2015 at 19:29, Romain Manni-Bucau <rm...@gmail.com>
wrote:
> Tomee code itself doesnt use commons collections for deserialisation. The
> issue is however not limited to commons collection but tomee is not known
> to be affected.
> Le 26 nov. 2015 13:37, "Lukas Kohl" <lu...@ergodirekt.de> a écrit :
>
> > Hello,
> > A recent analysis by Foxglove Security has confirmed multiple zero day,
> > remotely executable exploits, for Java applications that deserialize
> > objects from untrusted network sources and use libraries such as Apache
> > Commons Collections, Groovy or Spring.
> > see -->
> >
> >
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> > As Apache Commons Collections is included in OpenEJB, we need to know if
> > it is affected by this vulnerability.
> > If yes, please let us know what is your recommendation to prevent damage,
> > and when will be a patch available.
> >
> > P.s.: Sorry for double post, but I am not sure if my first Mail reached
> > the Mailinglist (missing subscription)
> >
> > Thanks!
> >
> > Kind Regards
> > Lukas
> >
> >
> > www.ergodirekt.de
> >
> > Blog: http://blog.ergodirekt.de
> > Facebook: www.facebook.com/ERGODirekt
> > Google+: www.google.com/+ergodirekt
> > Twitter: www.twitter.com/ERGODirekt
> > YouTube: www.youtube.com/ERGODirekt
> > _______________________
> >
> > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > UST-ID-Nr. DE159593454
> > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > DE159593438
> > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > UST-ID-Nr. DE159593446
> > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> > Diedrich
> > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> > Stoffels · Sitz: Fürth
> > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
>
Re: Unsecure deserialization of Java Objects
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Tomee code itself doesnt use commons collections for deserialisation. The
issue is however not limited to commons collection but tomee is not known
to be affected.
Le 26 nov. 2015 13:37, "Lukas Kohl" <lu...@ergodirekt.de> a écrit :
> Hello,
> A recent analysis by Foxglove Security has confirmed multiple zero day,
> remotely executable exploits, for Java applications that deserialize
> objects from untrusted network sources and use libraries such as Apache
> Commons Collections, Groovy or Spring.
> see -->
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> As Apache Commons Collections is included in OpenEJB, we need to know if
> it is affected by this vulnerability.
> If yes, please let us know what is your recommendation to prevent damage,
> and when will be a patch available.
>
> P.s.: Sorry for double post, but I am not sure if my first Mail reached
> the Mailinglist (missing subscription)
>
> Thanks!
>
> Kind Regards
> Lukas
>
>
> www.ergodirekt.de
>
> Blog: http://blog.ergodirekt.de
> Facebook: www.facebook.com/ERGODirekt
> Google+: www.google.com/+ergodirekt
> Twitter: www.twitter.com/ERGODirekt
> YouTube: www.youtube.com/ERGODirekt
> _______________________
>
> ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> UST-ID-Nr. DE159593454
> ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> DE159593438
> ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> UST-ID-Nr. DE159593446
> Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> Diedrich
> Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> Stoffels · Sitz: Fürth
> Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM