[Owasp-leaders] What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

Jim Manico jim.manico at owasp.org
Sat Nov 21 20:02:54 UTC 2015


Here are two more resources. These are the best I have seen so far.

https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/
http://sijmen.ruwhof.net/weblog/683-scanning-an-enterprise-organisation-for-the-critical-java-deserialization-vulnerability

Aloha,
Jim


On 11/21/15 1:58 PM, Jim Manico wrote:
> This is a very seriously issue - anonymous remote code execution 
> against major servlet/JEE containers and more. Ouch. This is not 
> unique to Java, deserialization on untrusted input in just about any 
> language is bad.
>
> But be careful now. The article from Foxglove has several critical 
> errors and bits of misinformation.
>
> Here are better resources that discuss the various defensive strategies.
>
>   * http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
>     //original AppSec Cali talk
>   * http://blog.nibblesec.org/2015/11/fixing-java-serialization-bugs-with.html
>   * http://fishbowl.pastiche.org/2015/11/09/java_serialization_bug/
>   * http://www.ibm.com/developerworks/library/se-lookahead/
>   * http://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications
>
> Aloha,
> Jim
>
>
> On 11/7/15 2:08 AM, Aaron Guzman wrote:
>> Awesome! Thanks for sharing..
>>
>> Other than the juicy details, here is a blurb to take note of if your 
>> position falls into these categories :)
>>
>> • Defenders – Anyone on your network and potentially the Internet can 
>> compromise many of your application servers, including some appliances.
>> • Pentesters – This vulnerability is amazing. Runs in memory and 
>> isn’t going away anytime soon. Remote code execution in many many 
>> things including custom applications
>> • Checkbox Checkers – Uncheck the boxes, you’re probably not 
>> compliant anymore (and let’s be honest, you probably never were)
>>
>>
>> BTW, this research originally released at Appsec Cali 2015 - 
>> http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
>>
>> Appsec Cali 2016 is quickly approaching 
>> (https://2016.appseccalifornia.org/) :)
>>
>> --
>> Aaron Guzman
>> OWASP Los Angeles Board Member
>> Cloud Security Alliance LA/SoCal Research Director
>> aaron.guzman at owasp.org <mailto:aaron.guzman at owasp.org>
>> Twitter: @scriptingxss
>> Linkedin: http://lnkd.in/bds3MgN
>>
>>
>>> On Nov 6, 2015, at 7:37 PM, Tom Brennan <tomb at owasp.org 
>>> <mailto:tomb at owasp.org>> wrote:
>>>
>>> Great write up - take notice, take action.
>>>
>>> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
>>>
>>>
>>> Tom Brennan
>>> 973-506-9304
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> -- 
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151121/3db830f2/attachment-0001.html>


More information about the OWASP-Leaders mailing list