News

Well Known Vulnerability Still Putting Java Apps and Servers at Risk

• By John K. Waters
• November 13, 2015

It was first reported by security researchers nine months ago, but a vulnerability in the popular Apache Commons library continues to put thousands of Java applications and servers at risk of a remote code execution attack.

Apache Commons is a popular repository of reusable Java components and workspace for component development maintained by the Apache Software Foundation. The flaw allows attackers to exploit a deserialization vulnerability in the Collections component of the repository. Serialization is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data is received.

This vulnerability allows attackers to send malicious objects to be deserialized. It is a remote code execution vulnerability, which means it can be exploited over a network without the need for a username and password.

Gabriel Lawrence, leader of Qualcomm's Application Security team, and Qualcomm cyber security engineer Chris Frohoff first reported the vulnerability during a presentation at the AppSecCali 2015 security conference in January. They offered a proof-of-concept tool, ysoserial, for generating payloads that exploit unsafe Java object deserialization (Their talk is available on YouTube.)

The current state of the flaw was reported this week by Steve Breen, a principal consultant with the Offensive Security and Red Team at NTT Com Security, in a blog post. That this vulnerability had not been fixed has broad implications, he wrote, "Because EVERYTHING in the Java world uses object serialization, and almost everything can be coerced into accepting unsafe, user provide serialized data." In his post, Breen provides proof-of-concept exploits he developed with Justin Kennedy, the director of Offensive Security and Red Teaming at NTT Com, of this flaw for WebLogic, WebSphere, JBoss servers, Jenkins and OpenNMS -- all of which use Apache Commons by default.

Breen called the vulnerability (which has not been named) "the most underrated, underhyped vulnerability of 2015."

The work of both sets of researchers shows that "developers put too much trust in Java Object Serialization," wrote Apache Commons VP Gary Gregory and project committer Bernd Eckenfels in a blog post. "The best protection against this, is to avoid using a complex serialization protocol with untrusted peers," they added. The Apache Software Foundation is currently working on a fix for the vulnerability.

Oracle has issued a security alert that includes a temporary fix for the WebLogic Server.