[wildfly-dev] Concerns about deserialization attacks
Stuart Douglas
stuart.w.douglas at gmail.com
Tue Nov 10 05:06:58 EST 2015
Can you send me the details?
I don't think we are actually vulnerable to the commons attack out of the
box, modular class loading provides a very effective barrier against these
kind of attacks. There are only a few modules that reference
commons-collections, and they are not in any way involved with remote
communication.
Stuart
On Tue, 10 Nov 2015 at 19:31 Emond Papegaaij <emond.papegaaij at topicus.nl>
wrote:
> Hi all,
>
> As you probably know, there has recently been quite some discussion about
> remotely exploitable attacks via deserialization, for instance [1] and [2].
> These exploits are demonstrated against commons-collections 3 and 4,
> spring 4
> and groovy 2.4.4, but it is very likely other libraries (if not the jdk
> itself) also contain vulnerable code. In general, the advise is to not
> accept
> any serialized objects on a public interface.
>
> WildFly multiplexes its remote EJB invocation over the http port via http-
> remoting. I've found a way to make a WilfFly instance, configured with the
> default standalone.xml, accept arbitrary serialized objects. Access to port
> 8080 is all you need. I've been able to verify the commons-collections
> exploit
> by adding commons-collections to the right module and let WildFly
> deserialize
> my objects. So far, I've not been able to exploit WildFly using only the
> classes available via this route, but I've got the feeling that this is
> only a
> matter of time.
>
> As this is potentially sensitive information, I'm looking for a less public
> channel to share the details.
>
> Best regards,
> Emond Papegaaij
>
>
> [1] http://www.infoq.com/news/2015/11/commons-exploit
> [2]
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20151110/b13cd79e/attachment.html
More information about the wildfly-dev
mailing list