[wildfly-dev] Concerns about deserialization attacks

[Emond Papegaaij]

Hi all,

As you probably know, there has recently been quite some discussion about 
remotely exploitable attacks via deserialization, for instance [1] and [2]. 
These exploits are demonstrated against commons-collections 3 and 4, spring 4 
and groovy 2.4.4, but it is very likely other libraries (if not the jdk 
itself) also contain vulnerable code. In general, the advise is to not accept 
any serialized objects on a public interface.

WildFly multiplexes its remote EJB invocation over the http port via http-
remoting. I've found a way to make a WilfFly instance, configured with the 
default standalone.xml, accept arbitrary serialized objects. Access to port 
8080 is all you need. I've been able to verify the commons-collections exploit 
by adding commons-collections to the right module and let WildFly deserialize 
my objects. So far, I've not been able to exploit WildFly using only the 
classes available via this route, but I've got the feeling that this is only a 
matter of time.

As this is potentially sensitive information, I'm looking for a less public 
channel to share the details.

Best regards,
Emond Papegaaij


[1] http://www.infoq.com/news/2015/11/commons-exploit
[2] http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability