One, the vulnerability description:
Recently, the deserialization of arbitrary code execution vulnerability continues to ferment, and more and more systems are bursting with this vulnerability. Apache Commons toolset is widely used in Java technology platform, there is Apache Commons components Invokertransformer to deserialize arbitrary code execution vulnerability, WebLogic, IBM WebSphere, Applications such as JBoss, Jenkins, and OpenNMS have a large number of calls to the Commons toolset, and remote code execution can initiate remote attacks on these applications.
Second, the vulnerability solution:
1 Use Serialkiller to replace the ObjectInputStream class for the serialization operation;
2 temporarily delete the "org/apache/commons/collections/" in the project without affecting the business Functors/invokertransformer.class "file;
Find org/apache/commons/collections/functors/on the server The jar of the Invokertransformer.class class, which is now WEBLOGIC10 after oracle/middleware/ Modules under Com.bea.core.apache.commons.collections_3.2.0.jar, create temp directory TT, After decompression delete Invokertransformer.class class and then hit Com.bea.core.apache.commons.collections_3.2.0.jar cover oracle/middleware/ Modules, restart all services. The following steps are Linux detailed methods:
A) mkdir tt
B) cp-r oracle/middleware/modules/com.bea.core.apache.commons.collections_ 3.2.0.jar./TT
C) jar XF Oracle/middleware/modules/com.bea.core.apache.commons.collections_3.2.0.jar
D) CD org /apache/commons/collections/functors
E) rm-rf invokertransformer.class
F) jar CF Com.bea.core.apache.commons.collections_3.2.0.jar org/* meta-inf/*
G) MV Com.bea.core.apache.commons.collections_3.2.0.jar oracle/middleware/modules/
H) Restart service
Third, the vulnerability solution:
1, if not to deal with WebLogic self-com.bea.core.apache.commons.collections_3.2.0.jar, but modify the application code Collections_*.jar, must be in the release can not be overwritten. Please also remember not to overwrite the modified jar file when applying overwrite, backup recovery, and release.
2. When restarting the service, delete the cache and TMP under Server-name.
For example RM-RF ~/user_projects/domains/base_domain/servers/adminserver/cache
RM-RF ~/user_projects/domains/base_domain/servers/adminserver/tmp
Java Anti-Serialization vulnerability resolution