[Owasp-leaders] What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |
Kevin W. Wall
kevin.w.wall at gmail.com
Mon Nov 9 15:21:42 UTC 2015
On Fri, Nov 6, 2015 at 10:37 PM, Tom Brennan <tomb at owasp.org> wrote:
> Great write up - take notice, take action.
Yes, it is great research and a great write-up, but IMO, this is also
a great example
of irresponsible disclosure. According to the Jenkins team, FoxGlove
gave them no
advance notice of this to allow time for a fix, so this essentially
was a 0day for them.
And if they did that to Jenkins, it wouldn't surprise me if they also
handled the other
vendors (IBM, Oracle, and RedHat) in the same way. So what we are left with is
a fully developed, (in many cases) remotely accessible fully-scripted
Jenkins, OpenNMS, JBoss, WebSphere, and WebLogic Server (not to mention
countless other vulnerable applications where this may be exposed) where the
only thing missing is a harmful payload. (And that should be relatively easy to
construct using the ysoserial tool.)
Frankly, I'm surprised that I've not seen any public outcry for irresponsible
disclosure here. (Or maybe there has been in places like the Twitterverse
or other places that I don't monitor.)
Also, I was not able to find any prior CVE for this against Apache
(In fact, the Apache team just created a bug ID for this on Saturday.)
So, my apologies to FoxGlove if I am making assumptions about not notifying
the vendors before hand, the the Jenkins dev team claims they were not made
aware before hand, so I think--if that is true--it is a reasonable
the other vendors may not have been provided advance notice either to allow
them time to deploy patches.
NSA: All your crypto bit are belong to us.
More information about the OWASP-Leaders