Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

11/19/2015
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why The Java Deserialization Bug Is A Big Deal

Millions of app servers are potentially open to compromise due to how they handle serialized Java apps, researchers say.

A recent blog post by FoxGlove Security that described remotely executable exploits against several major middleware products including WebSphere, WebLogic, and JBoss has focused attention on what some say is an extremely dangerous but wholly underrated class of vulnerabilities.

The so-called Java deserialization vulnerability affects virtually all apps that accept serialized Java objects and gives attackers a way to gain complete remote control of an app server. Security researchers believe that potentially millions of applications -- both commercial and internally developed-- are susceptible to the issue, which is not easily mitigated.

Though researchers have been aware of the vulnerability for some time, few have paid much attention to it because there have been no working public exploits against applications until now. But FoxGlove’s demonstration of how the flaw can be exploited using a tool released about nine months ago has heightened concerns around the issue.

“It’s a big deal because many enterprise applications are vulnerable,” says Jeff Williams, chief technology officer at Contrast Security, which released a free tool for addressing the issue.

The vulnerability allows attackers to completely take over the server on which the application is hosted and create all sorts of havoc.

“They could steal or corrupt any data accessible from that server, steal the application's code, change the application, or even use that server as a launching point for further attacks now that they are inside the data center,” Williams says.

Here’s what you need to know:

What is the vulnerability called?

That depends on whom you ask. Some of have called it the Java Deserialize vulnerability, others have it as Java Unserialize flaw, while some simply call it the Java Object Serialize flaw.

What exactly is the vulnerability all about?

The vulnerability exists in the manner in which many Java apps handle a process known as object deserialization. As Williams describes, serialization is a technique that many programming languages use to transfer complex data structures over the network and between computers.

It’s a process in which a Java object is essentially broken down into a series of bytes to make it easier to transport and then reassembled back into an object at the other end. The disassembling process from an object into a sequence of bits is called serialization, while the reassembly from the bits back to an object is called deserialization or unserialization.

The problem lies in the fact that many apps that accept serialized objects do not validate or check untrusted input before deserializing it. This gives attackers an opening to insert a malicious object into a data stream and have it execute on the app server.

“In this attack, special objects are serialized that cause the standard Java deserialization engine to run code of the attacker’s choosing,” Williams says. “It’s not exactly a problem in Java, or in any particular libraries. It’s just a powerful functionality that organizations shouldn’t expose to untrusted users.”

What exactly did FoxGlove do?

FoxGlove showed how the vulnerability could be exploited in WebSphere, WebLogic, JBoss, Jenkins, and OpenNMS.

Each of these applications includes a Java library called “commons-collections” that provides a method that leads to remote code execution when data is being deserialized, says Stephen Breen, principal consultant and developer of the attacks against the five middleware apps. Ideally, when data is being deserialized, no code should execute during the process.

Breen generated the payloads for his exploits using a tool called “ysoserial” released about 10 months ago by security researchers Chris Frohoff and Gabriel Lawrence at AppSec California 2015. In a presentation titled Marshalling Pickles, the two researchers demonstrated proof of concept code for exploiting Java object unserialization vulnerabilities and showed four different ways they could do it using the ysoserial tool.

“The bug is on both sides in my opinion; but others may disagree,” Breen says. “The commons-collections [library] should not provide a method that leads to remote command execution simply by deserializing untrusted data” he said. “This is unsafe due to the history of the way serialized objects have been used in Java.”

At the same time, app vendors and ad developers should not be unserializing untrusted data. “There could be other libraries besides the commons collection that allow for exploitable scenarios, and it’s generally not a good idea.”

What are the implications for enterprises?

Williams says the first thing enterprises need to do is find all the places where they are using deserialization on untrusted data, and harden it against the threat. “Searching [the] code is only a partial solution, because frameworks and libraries that they are including in their applications might also create this exposure.”

He pointed to a tool released by Contrast Security called Runtime Application Self-Protection (RASP) that adds code to the deserialization engine that prevents it from being exploited.

Removing commons collections from app servers running the library will not help entirely because other libraries could have a similar problem, Breen said. “It may be a good mitigation, but does not address the core problem.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.