[wildfly-dev] Concerns about deserialization attacks

Tomaž Cerar tomaz.cerar at gmail.com
Tue Nov 10 05:17:04 EST 2015


See https://access.redhat.com/solutions/2045023
https://access.redhat.com/security/cve/CVE-2012-0874

for best explanation.


On Tue, Nov 10, 2015 at 9:29 AM, Emond Papegaaij <emond.papegaaij at topicus.nl
> wrote:

> Hi all,
>
> As you probably know, there has recently been quite some discussion about
> remotely exploitable attacks via deserialization, for instance [1] and [2].
> These exploits are demonstrated against commons-collections 3 and 4,
> spring 4
> and groovy 2.4.4, but it is very likely other libraries (if not the jdk
> itself) also contain vulnerable code. In general, the advise is to not
> accept
> any serialized objects on a public interface.
>
> WildFly multiplexes its remote EJB invocation over the http port via http-
> remoting. I've found a way to make a WilfFly instance, configured with the
> default standalone.xml, accept arbitrary serialized objects. Access to port
> 8080 is all you need. I've been able to verify the commons-collections
> exploit
> by adding commons-collections to the right module and let WildFly
> deserialize
> my objects. So far, I've not been able to exploit WildFly using only the
> classes available via this route, but I've got the feeling that this is
> only a
> matter of time.
>
> As this is potentially sensitive information, I'm looking for a less public
> channel to share the details.
>
> Best regards,
> Emond Papegaaij
>
>
> [1] http://www.infoq.com/news/2015/11/commons-exploit
> [2]
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20151110/2647c2fc/attachment.html 


More information about the wildfly-dev mailing list