I. Description of the vulnerability
The overseas Foxglove Security Research team published an article on its blog on November 06, 2015 on how common Java applications can perform remote command execution with deserialization operations. The Java applications mentioned in the original blog post use the Apache Commons collections Library, and there is a serialized object data interface that can be accessed. For each application, the blog post provides analysis and validation code to illustrate the universality of remote command execution in Java applications. Second, vulnerability hazards
once the application is in the "bare-Ben" state, the hacker can use this vulnerability to execute arbitrary system commands at any time, fully control the machine, destroy or steal data on the machine. Iii. software and systems that have been identified for successful use The use of Apache Commons collections This library is theoretically affected by the vulnerability. Applications that have been proven to be affected:
- Websphere
- Weblogic
- Jboss
- Jenkins
- OpenNMS
Iv. Recommended Repair Programme The official has not released a patch for this vulnerability, so it is not possible to fix the vulnerability by applying an upgrade. Interim Solution:1. Use Serialkiller to replace the ObjectInputStream class for serialization operations. 2, in the case of no impact on the business, temporarily delete the project "Org/apache/commons/collections/functors/invokertransformer.class" file. 3. Hide the application access path affected by the vulnerability, such as changing to a randomly generated string.
"Java deserialization" procedure remote Command Execution vulnerability