[wildfly-dev] Concerns about deserialization attacks
tomaz.cerar at gmail.com
Tue Nov 10 05:17:04 EST 2015
for best explanation.
On Tue, Nov 10, 2015 at 9:29 AM, Emond Papegaaij <emond.papegaaij at topicus.nl
> Hi all,
> As you probably know, there has recently been quite some discussion about
> remotely exploitable attacks via deserialization, for instance  and .
> These exploits are demonstrated against commons-collections 3 and 4,
> spring 4
> and groovy 2.4.4, but it is very likely other libraries (if not the jdk
> itself) also contain vulnerable code. In general, the advise is to not
> any serialized objects on a public interface.
> WildFly multiplexes its remote EJB invocation over the http port via http-
> remoting. I've found a way to make a WilfFly instance, configured with the
> default standalone.xml, accept arbitrary serialized objects. Access to port
> 8080 is all you need. I've been able to verify the commons-collections
> by adding commons-collections to the right module and let WildFly
> my objects. So far, I've not been able to exploit WildFly using only the
> classes available via this route, but I've got the feeling that this is
> only a
> matter of time.
> As this is potentially sensitive information, I'm looking for a less public
> channel to share the details.
> Best regards,
> Emond Papegaaij
>  http://www.infoq.com/news/2015/11/commons-exploit
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wildfly-dev