Apache Geronimo Remote Code Execute Vulnerability

Brief introduction:

Apache Geronimo is the Apache Software Foundation's Open source Java server, which integrates many advanced technologies and design concepts. Most of these technologies and concepts originate from separate projects, and the configuration and deployment models are different.

Geronimo can fully integrate the configuration and deployment of these projects and methodologies into a single, easy-to-use model.

Loopholes:

This Geronimo actually has a lot of deserialization, by default similar to Tomcat Manager, can also be used to deploy a war package, such as weak password, I found in the process of testing the default Java RMI, and using the Commons-collections,

Commons-collections a low version of the deserialization vulnerability exists.

./repository/commons-collections/commons-collections/3.2. 1/commons-collections-3.2. 1. Jar Matches

But the exploit will have some small pits, specific interested students can test themselves, the loophole payload I also do not release. When applying for CVE, I communicated with Mark and waited for a long time,

Finally told me that their internal vote was ready to give up.

Mark's reply:

Hi jianan!Yes, indeed Kevan isRight . The Apache Geronimo Community have recently voted to end support forThe Geronimo Server part asKevan has pointed out. And yes, we are far from failed to reflect Thisfact on our page. I 'llTryTo address Thisimmediately. I hope so understand our situation!Note that any RMI communication isUsually done on a custom port >1024x768. So those ports is usually blocked by a firewall anyway. Which means that IF a company had any issues by and then they would likely had far more problems than'just'a RMI injection.txs and Liegrue,strub> Am19.12. .Umxx: atSchrieb Kevan Miller <[email protected]>:>>Hi Jianan,> I'm not certain why the PMC have failed to respond. Perhaps your messages is not being properly moderated onto the PMC'S mailing list?>> I believe their response would be asfollows:>> the Geronimo Server distribution isno longer supported. The community vote thread that decided This  is:>> https://Lists.apache.org/thread.html/[email protected]%3cdev.geronimo.apache.org%3e>> Unfortunately, the results of ThisVote is not properly noted on http://geronimo.apache.org/>> Kevan

Apache Geronimo Remote Code Execute Vulnerability