You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/11/27 13:23:04 UTC

[Bug 58662] New: blacklist some classes in custom ObjectInputStreams

https://bz.apache.org/bugzilla/show_bug.cgi?id=58662

            Bug ID: 58662
           Summary: blacklist some classes in custom ObjectInputStreams
           Product: Tomcat 9
           Version: unspecified
          Hardware: PC
                OS: Mac OS X 10.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: rmannibucau@gmail.com

Tomcat (at least 7 to 9) uses custom ObjectInputStream, since the server can't
control the fact a user add one of the vulnerable libraries in the same
classloader as tomcat (aka common.loader), tomcat should blacklist these
classes.

This can be done with
https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/core/rmi/BlacklistClassResolver.java
(adapting the config I guess) and calling check(name) here
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/util/CustomObjectInputStream.java#L74
around classDesc.getName() before loading the class

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58662] blacklist some classes in custom ObjectInputStreams

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58662

--- Comment #2 from romain.manni-bucau <rm...@gmail.com> ---
You dont need to be able to add a jar to lib directory. The point was a user
can do it in its installation and this can have side effects. Or do you mean
that adding a jar to tomcat/lib makes tomcat no more supported?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58662] blacklist some classes in custom ObjectInputStreams

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58662

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|REOPENED                    |RESOLVED

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
If a system admin adds a JAR then it is a non-issue. To repeat my previous
comment:
<quote>
The recent spate of deserialization issues is only of concern if an application
accepts untrusted data and deserializes without validation/sanitization. A
default Tomcat install does not expose any such mechanism.
</quote>

Therefore, adding one of the known enabling JARs - or some currently unknown
enablign JAR - to Tomcat does not create a security issue that can be exploited
by a remote attacker.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58662] blacklist some classes in custom ObjectInputStreams

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58662

romain.manni-bucau <rm...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|INVALID                     |---
             Status|RESOLVED                    |REOPENED

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58662] blacklist some classes in custom ObjectInputStreams

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58662

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
If an attacker can add a JAR to that directory then deserialization is likely
to be the least of your worries.

The recent spate of deserialization issues is only of concern if an application
accepts untrusted data and deserializes without validation/sanitization. A
default Tomcat install does not expose any such mechanism. If an application
chooses to accept such input then validation/sanitization is an application
concern.

I'll also note that security concerns should be raised via the security list,
not via a public bug tracker.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org