[wildfly-dev] Concerns about deserialization attacks
stuart.w.douglas at gmail.com
Tue Nov 10 05:06:58 EST 2015
Can you send me the details?
I don't think we are actually vulnerable to the commons attack out of the
box, modular class loading provides a very effective barrier against these
kind of attacks. There are only a few modules that reference
commons-collections, and they are not in any way involved with remote
On Tue, 10 Nov 2015 at 19:31 Emond Papegaaij <emond.papegaaij at topicus.nl>
> Hi all,
> As you probably know, there has recently been quite some discussion about
> remotely exploitable attacks via deserialization, for instance  and .
> These exploits are demonstrated against commons-collections 3 and 4,
> spring 4
> and groovy 2.4.4, but it is very likely other libraries (if not the jdk
> itself) also contain vulnerable code. In general, the advise is to not
> any serialized objects on a public interface.
> WildFly multiplexes its remote EJB invocation over the http port via http-
> remoting. I've found a way to make a WilfFly instance, configured with the
> default standalone.xml, accept arbitrary serialized objects. Access to port
> 8080 is all you need. I've been able to verify the commons-collections
> by adding commons-collections to the right module and let WildFly
> my objects. So far, I've not been able to exploit WildFly using only the
> classes available via this route, but I've got the feeling that this is
> only a
> matter of time.
> As this is potentially sensitive information, I'm looking for a less public
> channel to share the details.
> Best regards,
> Emond Papegaaij
>  http://www.infoq.com/news/2015/11/commons-exploit
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wildfly-dev