[Owasp-leaders] What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

Jim Manico jim.manico at owasp.org
Sat Nov 21 19:58:13 UTC 2015


This is a very seriously issue - anonymous remote code execution against 
major servlet/JEE containers and more. Ouch. This is not unique to Java, 
deserialization on untrusted input in just about any language is bad.

But be careful now. The article from Foxglove has several critical 
errors and bits of misinformation.

Here are better resources that discuss the various defensive strategies.

  * http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
    //original AppSec Cali talk
  * http://blog.nibblesec.org/2015/11/fixing-java-serialization-bugs-with.html
  * http://fishbowl.pastiche.org/2015/11/09/java_serialization_bug/
  * http://www.ibm.com/developerworks/library/se-lookahead/
  * http://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

Aloha,
Jim


On 11/7/15 2:08 AM, Aaron Guzman wrote:
> Awesome! Thanks for sharing..
>
> Other than the juicy details, here is a blurb to take note of if your 
> position falls into these categories :)
>
> • Defenders – Anyone on your network and potentially the Internet can 
> compromise many of your application servers, including some appliances.
> • Pentesters – This vulnerability is amazing. Runs in memory and isn’t 
> going away anytime soon. Remote code execution in many many things 
> including custom applications
> • Checkbox Checkers – Uncheck the boxes, you’re probably not compliant 
> anymore (and let’s be honest, you probably never were)
>
>
> BTW, this research originally released at Appsec Cali 2015 - 
> http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
>
> Appsec Cali 2016 is quickly approaching 
> (https://2016.appseccalifornia.org/) :)
>
> --
> Aaron Guzman
> OWASP Los Angeles Board Member
> Cloud Security Alliance LA/SoCal Research Director
> aaron.guzman at owasp.org <mailto:aaron.guzman at owasp.org>
> Twitter: @scriptingxss
> Linkedin: http://lnkd.in/bds3MgN
>
>
>> On Nov 6, 2015, at 7:37 PM, Tom Brennan <tomb at owasp.org 
>> <mailto:tomb at owasp.org>> wrote:
>>
>> Great write up - take notice, take action.
>>
>> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
>>
>>
>> Tom Brennan
>> 973-506-9304
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151121/f58e958f/attachment.html>


More information about the OWASP-Leaders mailing list