What ?
The most underrated, underhyped vulnerability have recently come to my attention, and I ' m about to bring it to your S. No one gave it a fancy name, there were No press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code is released over 9 MONTHS AGO, none of the products mentioned in the title of This post has been patched, along with many more. In fact no patch was available for the Java library containing the vulnerability. In addition to any commercial products that is vulnerable, this also affects many custom applications.
In this post I'll be dropping pre-authentication, remote code execution exploits that leverage the vulnerability for WEBL Ogic, WebSphere, JBoss, Jenkins, and OpenNMS. All on the newest versions. Even more interesting, I'll detail the process we went through to discover that these products were vulnerable, and how I Developed the exploits. This should empower the go out and find this same bugs in your own software or commercial products so you or your Clie NTS use. All code can is found on the Foxglove Security Github.
I ' ll also be touching on what this bug was unlikely to go away soon. You can infuriate your developers and ops people by telling them to follow the instructions in "the Fix" sections to Remedi Ate this in your environment. It'll fix it, but it's an admittedly ugly solution.
This post was going to be long. Because i ' m a nice person, I made you a index. Feel free-to-skip straight to the exploits if you ve got better things to do than read my rambling:
Background –unserialize Vulnerabilities and why didn ' t I hear about this sooner?
The Vulnerability –light Details on the @frohoff and @gebl
How Common is Commons? –how to find software this is vulnerable
Exploit Dev for Skiddies , Haven High Level process-to-using this vulnerability
Exploit 1–websphere Application Server
Exploit 2–jboss Application Server
Exploit 3–jenkins
Exploit 4–weblogic Application Server
Exploit 5–opennms Through RMI
The fix–how to Monkey Patch Your Servers
...
Article longer, do not copy and paste, directly read the original bar
Original: http://foxglovesecurity.com/2015/11/06/ what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/# Background
What does WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your application has in Common?