Vulnerability in Java Commons Library leads to thousands of insecure applications
The popular Java library has a serious vulnerability, discovered over nine months, but it continues to put thousands of Java applications and servers at risk of remote code execution attacks.
Fault is located in Apache Commons. Apache Commons is a project of the Apache Software Foundation, focused on all aspects of reusable Java components. Apache Commons is used by default in various Java application servers and other products, including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.
More specifically, the fault lies in the Collections component of Apache Commons and follows the deserialization unsafe Java objects. In computer science, Serialization is a process of converting an object into a series of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from series of bytes is called deserialization (which is also called unmarshalling).
The vulnerability was first revealed by researchers Chris Frohoff and Gabriel Lawrence at a security conference in January 2015.
However, the vulnerability received a new wave of exposure on Friday after researchers from FoxGlove Security have confirmed deserialization vulnerabilities in third-party Java libraries that could be used to remotely exploit WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS installations, and many other pieces of software.
OpenNMS users can disable the attack vector by simply configuring the server’s firewall to disable remote access to port 1099, the team said in a blog post. The ideal setup is to run something like iptables on the OpenNMS server and limit remote access to a minimal set of ports, such as port 22 for ssh and port 162 for SNMP trap reception. The application needs access to other ports from localhost, but that limits exposure to only people who already have shell access to the server.
In response, Oracle issued a security alert on Tuesday, which contained instructions for a workaround in WebLogic Server. The company is working on a permanent fix, and Apache Commons Collections developers are also working to correct the problem.
The team for Apache Commons added a proposed patch in its 3.2.X branch that introduces a flag to disable serialization on the vulnerable InvokerTransformer class by default. The new version of the library will throw an exception if anyone attempts to deserialize an InvokerTransformer.
