[Owasp-board] [Owasp-leaders] What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

Tom Brennan tomb at owasp.org
Mon Nov 9 17:12:57 UTC 2015


Stephen, Thank you for the quick reply on this for clarity to Kevin’s inquiry/statement on the leaders list cc back to that list to inform the 700+ leaders on it of the reply (the list https://lists.owasp.org/listinfo/owasp-leaders <https://lists.owasp.org/listinfo/owasp-leaders> is restricted)

Re: "awareness for software security” the OWASP Mission.  Your reply enables the discussion across the OWASP community too.

Mark Miller — is this something your interested to do a podcast around with a few interested people to talk about it and outline OWASP resources

Alcon;

So this is a “unfortunately" a great opportunity to map the OWASP projects to the issues identified and help raise visibility to the projects that can HELP people proactively and reactively.  Are there volunteers that also share this and want to pull together a BOF group and map out projects to this well written announcement?  

The final effort is to push out a OWASP Blog post to raise visibility for the issues, defenses available today and for consideration in the future. 

Couple of moving parts here but a opportunity to raise awareness as a collective GROUP for software security and provide expect talking points to the many audiences that are listening. 

BOF doc created here if your interested and have a few cycles.

https://docs.google.com/spreadsheets/d/1aG6IL_2eP7xyZkaHCDMThxI-kXUSBao9fXxpUrPN5EU/edit?usp=sharing <https://docs.google.com/spreadsheets/d/1aG6IL_2eP7xyZkaHCDMThxI-kXUSBao9fXxpUrPN5EU/edit?usp=sharing> 



> On Nov 9, 2015, at 11:35 AM, Stephen Breen <Stephen.Breen at nttcomsecurity.com> wrote:
> 
> Thanks for forwarding Tom.
> 
> Unfortunately the situation with this vulnerability is a little bit complex and there is some disagreement on the subject of whether this was irresponsible disclosure.
> 
> In our opinion this is a 9 month old vulnerability that was completely ignored and we wanted to get the word out. I don't consider the exploits we released to be 0-day, and if you disagree, then I would concede that they are at least not 0-day worth keeping secret. Within TWO days of hearing about the Apache commons bug and exploit code released 9 months ago I had discovered and developed proof of concept exploits for the 5 products identified in the article. This is not because I'm particularly clever, but because the exploit identification and development is trivial given what was released previously.
> 
> If we can do this with material already publicly available, so can anyone else. If I were running one of MANY affected products, I would prefer to know that it has had such a vulnerability outstanding for over 9 months and work toward a remediation. The attention this subject has gained also allows for affected products that were not listed in the post to work on this issue internally.
> 
> Stephen Breen
> Principal Consultant – OffSec and Red Team
> T   +1 (508) 507-8945
> stephen.breen at nttcomsecurity.com
> www.nttcomsecurity.com
> 
> 
> -----Original Message-----
> From: Tom Brennan [mailto:tomb at owasp.org]
> Sent: Monday, November 09, 2015 10:54 AM
> To: Kevin W. Wall <kevin.w.wall at gmail.com>
> Cc: Stephen Breen <Stephen.Breen at nttcomsecurity.com>
> Subject: Re: [Owasp-leaders] What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |
> 
> Interesting feedback Kevin, I do not know the answer to your question however cc to Stephen who can shed some light on it.
> 
> The insight will be useful and set the record straight for your question.
> 
> Related to OWASP’s role in community and raising visibility for the issue(s) identified, it pushed on the question of creating a platform for researchers log information for global dissemination.  This happens frequently and would be a useful “project” to the community consumers of information.
> 
> 
> 
>> On Nov 9, 2015, at 10:21 AM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>> 
>> On Fri, Nov 6, 2015 at 10:37 PM, Tom Brennan <tomb at owasp.org> wrote:
>>> Great write up - take notice, take action.
>>> 
>>> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jbo
>>> ss-jenkins-opennms-and-your-application-have-in-common-this-vulnerabi
>>> lity/
>> 
>> Tom,
>> 
>> Yes, it is great research and a great write-up, but IMO, this is also
>> a great example of irresponsible disclosure. According to the Jenkins
>> team, FoxGlove gave them no advance notice of this to allow time for a
>> fix, so this essentially was a 0day for them.
>> And if they did that to Jenkins, it wouldn't surprise me if they also
>> handled the other vendors (IBM, Oracle, and RedHat) in the same way.
>> So what we are left with is a fully developed, (in many cases)
>> remotely accessible fully-scripted exploit for Jenkins, OpenNMS,
>> JBoss, WebSphere, and WebLogic Server (not to mention countless other
>> vulnerable applications where this may be exposed) where the only
>> thing missing is a harmful payload. (And that should be relatively
>> easy to construct using the ysoserial tool.)
>> 
>> Frankly, I'm surprised that I've not seen any public outcry for
>> irresponsible disclosure here. (Or maybe there has been in places like
>> the Twitterverse or other places that I don't monitor.)
>> 
>> Also, I was not able to find any prior CVE for this against Apache
>> Commons-Collections.
>> (In fact, the Apache team just created a bug ID for this on Saturday.)
>> 
>> So, my apologies to FoxGlove if I am making assumptions about not
>> notifying the vendors before hand, the the Jenkins dev team claims
>> they were not made aware before hand, so I think--if that is true--it
>> is a reasonable assumption that the other vendors may not have been
>> provided advance notice either to allow them time to deploy patches.
>> 
>> -kevin
>> --
>> Blog: http://off-the-wall-security.blogspot.com/
>> NSA: All your crypto bit are belong to us.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> NTT Com Security (US) Inc
> 204 West Newberry Road
> Suite 101
> Bloomfield, CT 06002
> Connecticut Business ID Number: 0281201
> ****************************************************************
> Please note that: This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> 
> http://www.nttcomsecurity.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151109/2b84bfc7/attachment-0001.html>


More information about the Owasp-board mailing list