Unsecure deserialization of Java Objects

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Unsecure deserialization of Java Objects

Lukas Kohl
Hello,
A recent analysis by Foxglove Security has confirmed multiple zero day,
remotely executable exploits, for Java applications that deserialize
objects from untrusted network sources and use libraries such as Apache
Commons Collections, Groovy or Spring.
see -->
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
As Apache Commons Collections is included in OpenEJB, we need to know if
it is affected by this vulnerability.
If yes, please let us know what is your recommendation to prevent damage,
and when will be a patch available.

P.s.: Sorry for double post, but I am not sure if my first Mail reached
the Mailinglist (missing subscription)

Thanks!

Kind Regards
Lukas


www.ergodirekt.de

Blog: http://blog.ergodirekt.de
Facebook: www.facebook.com/ERGODirekt
Google+: www.google.com/+ergodirekt
Twitter: www.twitter.com/ERGODirekt
YouTube: www.youtube.com/ERGODirekt
_______________________

ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · UST-ID-Nr. DE159593454
ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. DE159593438
ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · UST-ID-Nr. DE159593446
Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian Diedrich
Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg Stoffels · Sitz: Fürth
Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Romain Manni-Bucau
Tomee code itself doesnt use commons collections for deserialisation. The
issue is however not limited to commons collection but tomee is not known
to be affected.
Le 26 nov. 2015 13:37, "Lukas Kohl" <[hidden email]> a écrit :

> Hello,
> A recent analysis by Foxglove Security has confirmed multiple zero day,
> remotely executable exploits, for Java applications that deserialize
> objects from untrusted network sources and use libraries such as Apache
> Commons Collections, Groovy or Spring.
> see -->
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> As Apache Commons Collections is included in OpenEJB, we need to know if
> it is affected by this vulnerability.
> If yes, please let us know what is your recommendation to prevent damage,
> and when will be a patch available.
>
> P.s.: Sorry for double post, but I am not sure if my first Mail reached
> the Mailinglist (missing subscription)
>
> Thanks!
>
> Kind Regards
> Lukas
>
>
> www.ergodirekt.de
>
> Blog: http://blog.ergodirekt.de
> Facebook: www.facebook.com/ERGODirekt
> Google+: www.google.com/+ergodirekt
> Twitter: www.twitter.com/ERGODirekt
> YouTube: www.youtube.com/ERGODirekt
> _______________________
>
> ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> UST-ID-Nr. DE159593454
> ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> DE159593438
> ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> UST-ID-Nr. DE159593446
> Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> Diedrich
> Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> Stoffels · Sitz: Fürth
> Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

stephenconnolly
Hmmm,

So does Tomee expose any RMI end-points or use Java serialization anywhere
at all?

The issue here is that if you deserialize *anything* and
commons-collections ( / groovy / some other libs) is on the classpath that
ObjectInputStream uses for class instantiation then somebody can deliver a
payload that references those classes and compromises the running code.

https://github.com/apache/openejb/search?utf8=%E2%9C%93&q=ObjectInputStream

Says there are 22 usages of ObjectInputStream, none of those appear to be
doing class filtering

https://github.com/jenkinsci/remoting/blob/bfbcfb3282d98cda4de6c4f0deb9bcb03e3c5187/src/main/java/hudson/remoting/ObjectInputStreamEx.java#L54

Shows one way of implementing class filtering.

https://www.youtube.com/watch?v=OWwOJlOI1nU

On 26 November 2015 at 19:29, Romain Manni-Bucau <[hidden email]>
wrote:

> Tomee code itself doesnt use commons collections for deserialisation. The
> issue is however not limited to commons collection but tomee is not known
> to be affected.
> Le 26 nov. 2015 13:37, "Lukas Kohl" <[hidden email]> a écrit :
>
> > Hello,
> > A recent analysis by Foxglove Security has confirmed multiple zero day,
> > remotely executable exploits, for Java applications that deserialize
> > objects from untrusted network sources and use libraries such as Apache
> > Commons Collections, Groovy or Spring.
> > see -->
> >
> >
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> > As Apache Commons Collections is included in OpenEJB, we need to know if
> > it is affected by this vulnerability.
> > If yes, please let us know what is your recommendation to prevent damage,
> > and when will be a patch available.
> >
> > P.s.: Sorry for double post, but I am not sure if my first Mail reached
> > the Mailinglist (missing subscription)
> >
> > Thanks!
> >
> > Kind Regards
> > Lukas
> >
> >
> > www.ergodirekt.de
> >
> > Blog: http://blog.ergodirekt.de
> > Facebook: www.facebook.com/ERGODirekt
> > Google+: www.google.com/+ergodirekt
> > Twitter: www.twitter.com/ERGODirekt
> > YouTube: www.youtube.com/ERGODirekt
> > _______________________
> >
> > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > UST-ID-Nr. DE159593454
> > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > DE159593438
> > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > UST-ID-Nr. DE159593446
> > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> > Diedrich
> > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> > Stoffels · Sitz: Fürth
> > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
>
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Romain Manni-Bucau
there are few places (mainly one actually) but it is optional so a default
instance shouldnt have any issue. That said you are right we need to fix
the embedded ejbd code.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-11-27 11:35 GMT+01:00 Stephen Connolly <[hidden email]
>:

> Hmmm,
>
> So does Tomee expose any RMI end-points or use Java serialization anywhere
> at all?
>
> The issue here is that if you deserialize *anything* and
> commons-collections ( / groovy / some other libs) is on the classpath that
> ObjectInputStream uses for class instantiation then somebody can deliver a
> payload that references those classes and compromises the running code.
>
> https://github.com/apache/openejb/search?utf8=%E2%9C%93&q=ObjectInputStream
>
> Says there are 22 usages of ObjectInputStream, none of those appear to be
> doing class filtering
>
>
> https://github.com/jenkinsci/remoting/blob/bfbcfb3282d98cda4de6c4f0deb9bcb03e3c5187/src/main/java/hudson/remoting/ObjectInputStreamEx.java#L54
>
> Shows one way of implementing class filtering.
>
> https://www.youtube.com/watch?v=OWwOJlOI1nU
>
> On 26 November 2015 at 19:29, Romain Manni-Bucau <[hidden email]>
> wrote:
>
> > Tomee code itself doesnt use commons collections for deserialisation. The
> > issue is however not limited to commons collection but tomee is not known
> > to be affected.
> > Le 26 nov. 2015 13:37, "Lukas Kohl" <[hidden email]> a écrit :
> >
> > > Hello,
> > > A recent analysis by Foxglove Security has confirmed multiple zero day,
> > > remotely executable exploits, for Java applications that deserialize
> > > objects from untrusted network sources and use libraries such as Apache
> > > Commons Collections, Groovy or Spring.
> > > see -->
> > >
> > >
> >
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> > > As Apache Commons Collections is included in OpenEJB, we need to know
> if
> > > it is affected by this vulnerability.
> > > If yes, please let us know what is your recommendation to prevent
> damage,
> > > and when will be a patch available.
> > >
> > > P.s.: Sorry for double post, but I am not sure if my first Mail reached
> > > the Mailinglist (missing subscription)
> > >
> > > Thanks!
> > >
> > > Kind Regards
> > > Lukas
> > >
> > >
> > > www.ergodirekt.de
> > >
> > > Blog: http://blog.ergodirekt.de
> > > Facebook: www.facebook.com/ERGODirekt
> > > Google+: www.google.com/+ergodirekt
> > > Twitter: www.twitter.com/ERGODirekt
> > > YouTube: www.youtube.com/ERGODirekt
> > > _______________________
> > >
> > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > > UST-ID-Nr. DE159593454
> > > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > > DE159593438
> > > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > > UST-ID-Nr. DE159593446
> > > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG
> und
> > > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG:
> Christian
> > > Diedrich
> > > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr.
> Jörg
> > > Stoffels · Sitz: Fürth
> > > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202
> 70
> > > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

AndyG
What is the dangerous option, so we can inform people of the danger?

Andy.

--
   Andy Gumbrecht
   https://twitter.com/AndyGeeDe

Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Romain Manni-Bucau
You can run the code you want more or less. Openjpa got the same issue and
fixed it months ago.

Ill add the filter today
Le 27 nov. 2015 12:00, "Andy" <[hidden email]> a écrit :

> What is the dangerous option, so we can inform people of the danger?
>
> Andy.
>
> --
>   Andy Gumbrecht
>   https://twitter.com/AndyGeeDe
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Romain Manni-Bucau
Fixed in jcs, batchee, owb, tomee, openjpa
AMQ already had the fix
opened an issue for myfaces


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[hidden email]>:

> You can run the code you want more or less. Openjpa got the same issue and
> fixed it months ago.
>
> Ill add the filter today
> Le 27 nov. 2015 12:00, "Andy" <[hidden email]> a écrit :
>
>> What is the dangerous option, so we can inform people of the danger?
>>
>> Andy.
>>
>> --
>>   Andy Gumbrecht
>>   https://twitter.com/AndyGeeDe
>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Lukas Kohl
Hello Romain,
thank your very much, this was quite fast !
You mentioned, that there is only one Dangerous place. Which place in
OpenEJB is this ?

I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ?


Kind regards,
Lukas



Von:    Romain Manni-Bucau <[hidden email]>
An:     "[hidden email]" <[hidden email]>
Datum:  27.11.2015 13:16
Betreff:        [SPAM] Re: Unsecure deserialization of Java Objects



Fixed in jcs, batchee, owb, tomee, openjpa
AMQ already had the fix
opened an issue for myfaces


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[hidden email]>:

> You can run the code you want more or less. Openjpa got the same issue
and

> fixed it months ago.
>
> Ill add the filter today
> Le 27 nov. 2015 12:00, "Andy" <[hidden email]> a écrit :
>
>> What is the dangerous option, so we can inform people of the danger?
>>
>> Andy.
>>
>> --
>>   Andy Gumbrecht
>>   https://twitter.com/AndyGeeDe
>>
>>





www.ergodirekt.de

Blog: http://blog.ergodirekt.de
Facebook: www.facebook.com/ERGODirekt
Google+: www.google.com/+ergodirekt
Twitter: www.twitter.com/ERGODirekt
YouTube: www.youtube.com/ERGODirekt
_______________________

ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · UST-ID-Nr. DE159593454
ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. DE159593438
ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · UST-ID-Nr. DE159593446
Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian Diedrich
Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg Stoffels · Sitz: Fürth
Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Romain Manni-Bucau
"one place" = one feature in tomee codebase, all the projects I mentionned
can use it, here a small overview:

- jcs: depends your plugins (no risk by default ie in in-memory mode)
- openjpa: depend if you serialize openjpa instances (if so you probably
have other troubles you are aware or not ;), see struberg slides for
details on this)
- batchee: you can use this code but it is not used remotely normally so no
real risk
- openwebbeans: depends if you use serializable scopes and how (no risk
with default setup)
- activemq: risk using a remote broker
- tomee: medium risk using ejbd protocol




Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-11-27 13:48 GMT+01:00 Lukas Kohl <[hidden email]>:

> Hello Romain,
> thank your very much, this was quite fast !
> You mentioned, that there is only one Dangerous place. Which place in
> OpenEJB is this ?
>
> I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ?
>
>
> Kind regards,
> Lukas
>
>
>
> Von:    Romain Manni-Bucau <[hidden email]>
> An:     "[hidden email]" <[hidden email]>
> Datum:  27.11.2015 13:16
> Betreff:        [SPAM] Re: Unsecure deserialization of Java Objects
>
>
>
> Fixed in jcs, batchee, owb, tomee, openjpa
> AMQ already had the fix
> opened an issue for myfaces
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[hidden email]>:
>
> > You can run the code you want more or less. Openjpa got the same issue
> and
> > fixed it months ago.
> >
> > Ill add the filter today
> > Le 27 nov. 2015 12:00, "Andy" <[hidden email]> a écrit :
> >
> >> What is the dangerous option, so we can inform people of the danger?
> >>
> >> Andy.
> >>
> >> --
> >>   Andy Gumbrecht
> >>   https://twitter.com/AndyGeeDe
> >>
> >>
>
>
>
>
>
> www.ergodirekt.de
>
> Blog: http://blog.ergodirekt.de
> Facebook: www.facebook.com/ERGODirekt
> Google+: www.google.com/+ergodirekt
> Twitter: www.twitter.com/ERGODirekt
> YouTube: www.youtube.com/ERGODirekt
> _______________________
>
> ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> UST-ID-Nr. DE159593454
> ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> DE159593438
> ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> UST-ID-Nr. DE159593446
> Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> Diedrich
> Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> Stoffels · Sitz: Fürth
> Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
>
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

AndyG
Yep, that should be all non DMZ, unless you're crazy. So I guess we can
just post a warning people to be aware.
If we become aware of real DMZ issues within TomEE itself then we need
to post as much info on this as possible.

On 27/11/2015 13:53, Romain Manni-Bucau wrote:

> "one place" = one feature in tomee codebase, all the projects I mentionned
> can use it, here a small overview:
>
> - jcs: depends your plugins (no risk by default ie in in-memory mode)
> - openjpa: depend if you serialize openjpa instances (if so you probably
> have other troubles you are aware or not ;), see struberg slides for
> details on this)
> - batchee: you can use this code but it is not used remotely normally so no
> real risk
> - openwebbeans: depends if you use serializable scopes and how (no risk
> with default setup)
> - activemq: risk using a remote broker
> - tomee: medium risk using ejbd protocol
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-11-27 13:48 GMT+01:00 Lukas Kohl <[hidden email]>:
>
>> Hello Romain,
>> thank your very much, this was quite fast !
>> You mentioned, that there is only one Dangerous place. Which place in
>> OpenEJB is this ?
>>
>> I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ?
>>
>>
>> Kind regards,
>> Lukas
>>
>>
>>
>> Von:    Romain Manni-Bucau <[hidden email]>
>> An:     "[hidden email]" <[hidden email]>
>> Datum:  27.11.2015 13:16
>> Betreff:        [SPAM] Re: Unsecure deserialization of Java Objects
>>
>>
>>
>> Fixed in jcs, batchee, owb, tomee, openjpa
>> AMQ already had the fix
>> opened an issue for myfaces
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> <http://www.tomitribe.com>
>>
>> 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[hidden email]>:
>>
>>> You can run the code you want more or less. Openjpa got the same issue
>> and
>>> fixed it months ago.
>>>
>>> Ill add the filter today
>>> Le 27 nov. 2015 12:00, "Andy" <[hidden email]> a écrit :
>>>
>>>> What is the dangerous option, so we can inform people of the danger?
>>>>
>>>> Andy.
>>>>
>>>> --
>>>>    Andy Gumbrecht
>>>>    https://twitter.com/AndyGeeDe
>>>>
>>>>
>>
>>
>>
>>
>> www.ergodirekt.de
>>
>> Blog: http://blog.ergodirekt.de
>> Facebook: www.facebook.com/ERGODirekt
>> Google+: www.google.com/+ergodirekt
>> Twitter: www.twitter.com/ERGODirekt
>> YouTube: www.youtube.com/ERGODirekt
>> _______________________
>>
>> ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
>> UST-ID-Nr. DE159593454
>> ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
>> DE159593438
>> ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
>> UST-ID-Nr. DE159593446
>> Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
>> der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
>> Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
>> Diedrich
>> Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
>> Stoffels · Sitz: Fürth
>> Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
>> UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
>> IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
>>

--
   Andy Gumbrecht
   https://twitter.com/AndyGeeDe

Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Lars-Fredrik Smedberg
In reply to this post by Romain Manni-Bucau
Hi

@Romain, I would be interested to see how such a fix is implemented. Can
you give pointers to look at some code?

Thanks

Regards
LF

On Fri, Nov 27, 2015 at 1:53 PM, Romain Manni-Bucau <[hidden email]>
wrote:

> "one place" = one feature in tomee codebase, all the projects I mentionned
> can use it, here a small overview:
>
> - jcs: depends your plugins (no risk by default ie in in-memory mode)
> - openjpa: depend if you serialize openjpa instances (if so you probably
> have other troubles you are aware or not ;), see struberg slides for
> details on this)
> - batchee: you can use this code but it is not used remotely normally so no
> real risk
> - openwebbeans: depends if you use serializable scopes and how (no risk
> with default setup)
> - activemq: risk using a remote broker
> - tomee: medium risk using ejbd protocol
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-11-27 13:48 GMT+01:00 Lukas Kohl <[hidden email]>:
>
> > Hello Romain,
> > thank your very much, this was quite fast !
> > You mentioned, that there is only one Dangerous place. Which place in
> > OpenEJB is this ?
> >
> > I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe
> ?
> >
> >
> > Kind regards,
> > Lukas
> >
> >
> >
> > Von:    Romain Manni-Bucau <[hidden email]>
> > An:     "[hidden email]" <[hidden email]>
> > Datum:  27.11.2015 13:16
> > Betreff:        [SPAM] Re: Unsecure deserialization of Java Objects
> >
> >
> >
> > Fixed in jcs, batchee, owb, tomee, openjpa
> > AMQ already had the fix
> > opened an issue for myfaces
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[hidden email]>:
> >
> > > You can run the code you want more or less. Openjpa got the same issue
> > and
> > > fixed it months ago.
> > >
> > > Ill add the filter today
> > > Le 27 nov. 2015 12:00, "Andy" <[hidden email]> a écrit :
> > >
> > >> What is the dangerous option, so we can inform people of the danger?
> > >>
> > >> Andy.
> > >>
> > >> --
> > >>   Andy Gumbrecht
> > >>   https://twitter.com/AndyGeeDe
> > >>
> > >>
> >
> >
> >
> >
> >
> > www.ergodirekt.de
> >
> > Blog: http://blog.ergodirekt.de
> > Facebook: www.facebook.com/ERGODirekt
> > Google+: www.google.com/+ergodirekt
> > Twitter: www.twitter.com/ERGODirekt
> > YouTube: www.youtube.com/ERGODirekt
> > _______________________
> >
> > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > UST-ID-Nr. DE159593454
> > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > DE159593438
> > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > UST-ID-Nr. DE159593446
> > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
> > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
> > Diedrich
> > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
> > Stoffels · Sitz: Fürth
> > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
> > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
> >
>



--
Med vänlig hälsning / Best regards

Lars-Fredrik Smedberg

STATEMENT OF CONFIDENTIALITY:
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of the
address(es) and may contain confidential or privileged information. If
you are not the intended recipient, please notify Lars-Fredrik Smedberg
immediately at [hidden email], and destroy all copies of this
message and any attachments.
Reply | Threaded
Open this post in threaded view
|

Re: Unsecure deserialization of Java Objects

Romain Manni-Bucau
the fix uses hardcoded blacklist of unserializable classes and allows to
configure a whitelist of unserializable classes (this last one being the
only really secured case but the other one is the best we can do and
already makes it harder to exploit the issue).


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-11-27 15:17 GMT+01:00 Lars-Fredrik Smedberg <[hidden email]>:

> Hi
>
> @Romain, I would be interested to see how such a fix is implemented. Can
> you give pointers to look at some code?
>
> Thanks
>
> Regards
> LF
>
> On Fri, Nov 27, 2015 at 1:53 PM, Romain Manni-Bucau <[hidden email]
> >
> wrote:
>
> > "one place" = one feature in tomee codebase, all the projects I
> mentionned
> > can use it, here a small overview:
> >
> > - jcs: depends your plugins (no risk by default ie in in-memory mode)
> > - openjpa: depend if you serialize openjpa instances (if so you probably
> > have other troubles you are aware or not ;), see struberg slides for
> > details on this)
> > - batchee: you can use this code but it is not used remotely normally so
> no
> > real risk
> > - openwebbeans: depends if you use serializable scopes and how (no risk
> > with default setup)
> > - activemq: risk using a remote broker
> > - tomee: medium risk using ejbd protocol
> >
> >
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-11-27 13:48 GMT+01:00 Lukas Kohl <[hidden email]>:
> >
> > > Hello Romain,
> > > thank your very much, this was quite fast !
> > > You mentioned, that there is only one Dangerous place. Which place in
> > > OpenEJB is this ?
> > >
> > > I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I
> safe
> > ?
> > >
> > >
> > > Kind regards,
> > > Lukas
> > >
> > >
> > >
> > > Von:    Romain Manni-Bucau <[hidden email]>
> > > An:     "[hidden email]" <[hidden email]>
> > > Datum:  27.11.2015 13:16
> > > Betreff:        [SPAM] Re: Unsecure deserialization of Java Objects
> > >
> > >
> > >
> > > Fixed in jcs, batchee, owb, tomee, openjpa
> > > AMQ already had the fix
> > > opened an issue for myfaces
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > <http://www.tomitribe.com>
> > >
> > > 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[hidden email]>:
> > >
> > > > You can run the code you want more or less. Openjpa got the same
> issue
> > > and
> > > > fixed it months ago.
> > > >
> > > > Ill add the filter today
> > > > Le 27 nov. 2015 12:00, "Andy" <[hidden email]> a écrit :
> > > >
> > > >> What is the dangerous option, so we can inform people of the danger?
> > > >>
> > > >> Andy.
> > > >>
> > > >> --
> > > >>   Andy Gumbrecht
> > > >>   https://twitter.com/AndyGeeDe
> > > >>
> > > >>
> > >
> > >
> > >
> > >
> > >
> > > www.ergodirekt.de
> > >
> > > Blog: http://blog.ergodirekt.de
> > > Facebook: www.facebook.com/ERGODirekt
> > > Google+: www.google.com/+ergodirekt
> > > Twitter: www.twitter.com/ERGODirekt
> > > YouTube: www.youtube.com/ERGODirekt
> > > _______________________
> > >
> > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> > > UST-ID-Nr. DE159593454
> > > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> > > DE159593438
> > > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> > > UST-ID-Nr. DE159593446
> > > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG
> und
> > > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
> > > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG:
> Christian
> > > Diedrich
> > > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr.
> Jörg
> > > Stoffels · Sitz: Fürth
> > > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> > > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202
> 70
> > > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
> > >
> >
>
>
>
> --
> Med vänlig hälsning / Best regards
>
> Lars-Fredrik Smedberg
>
> STATEMENT OF CONFIDENTIALITY:
> The information contained in this electronic message and any
> attachments to this message are intended for the exclusive use of the
> address(es) and may contain confidential or privileged information. If
> you are not the intended recipient, please notify Lars-Fredrik Smedberg
> immediately at [hidden email], and destroy all copies of this
> message and any attachments.
>