What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common?

What?

The most underrated, underhyped vulnerability of 2015 has recently come to my attention, and I’m about to bring it to yours. No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released OVER 9 MONTHS AGO, none of the products mentioned in the title of this post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications.

In this post I’ll be dropping pre-authentication, remote code execution exploits that leverage this vulnerability for WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. All on the newest versions. Even more interesting, I’ll detail the process we went through to discover that these products were vulnerable, and how I developed the exploits. This should empower you to go out and find this same bug in your own software or commercial products that you or your clients use. All code can be found on the FoxGlove Security Github.

I’ll also be touching on why this bug is unlikely to go away soon. You can infuriate your developers and ops people by telling them to follow the instructions in “The Fix” section to remediate this in your environment. It will fix it, but it’s an admittedly ugly solution.

This post is going to be long. Because I’m a nice person, I made you an index. Feel free to skip straight to the exploits if you’ve got better things to do than read my rambling:

  1. Background – Unserialize vulnerabilities and why didn’t I hear about this sooner?
  2. The Vulnerability – Light details on the work of @frohoff and @gebl
  3. How Common is Commons? – How to find software that is vulnerable
  4. Exploit Dev for Skiddies – The high level process to using this vulnerability
  5. Exploit 1 – WebSphere Application Server
  6. Exploit 2 – JBoss Application Server
  7. Exploit 3 – Jenkins
  8. Exploit 4 – WebLogic Application Server
  9. Exploit 5 – OpenNMS Through RMI
  10. The Fix – How to Monkey Patch Your Servers

...

文章较长,不复制粘贴了,直接看原文吧

原文:http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#background

时间: 2024-11-06 03:34:01

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common?的相关文章

Tomcat,Weblogic,WebSphere,JBoss四种服务器简单对比

1,tomcat是Servlet容器,支持JSP.Servlet.JDBC等J2EE关键技术,常用于tomcat开发基于数据库.Servlet和JSP页面的Web应用.2,tomcat不是EJB容器,其他三种是,EJB是分布式应用的核心技术,所以说凡是需要EJB来开发的应用(如银行.电信等大型的分布式应用系统)就不能用tomcat了.3,weblogic(Oracle),websphere(IBM),JBoss(Redhat)都是符合J2EE规范的EJB容器,都可以用来开发大型的分布式应用程序,

Tomcat、Weblogic、JBoss、GlassFish、Resin、Websphere弱口令及拿webshell方法总结 [复制链接]

1.java应用服务器    Java应用服务器主要为应用程序提供运行环境,为组件提供服务.Java 的应用服务器很多,从功能上分为两类:JSP 服务器和 Java EE 服务器.1.1  常见的Server概述    常见的Java服务器:Tomcat.Weblogic.JBoss.GlassFish.Jetty.Resin.IBM Websphere.Bejy Tiger.Geronimo.Jonas.Jrun.Orion.TongWeb.BES Application Server.Col

Tomcat、Weblogic、Jboss、WebSphere之间的区别和联系

Tomcat.Weblogic.Jboss.WebSphere之间的区别和联系 Websphere: 这是ibm公司的网上的信息.更详细的信息可以访问网站: http://www-306.ibm.com/software/cn/websphere/ WebSphere 产品家族和解决方案 业务整合整合服务器提供了一套用于应用程序整合和业务流程自动化的中央基础设施. 应用服务器应用服务器提供了运行互操作应用程序的平台. IBM Support for Apache Geronimo IBM Sup

tomcat,weblogic,jboss区别

平时我们做系统常用tomcat服务器,所以也比较熟悉.对于需要用到ejb等分布式的技术的系统,通常会用到weblogic服务器和jboss服务器,那么这些服务器之间到底有什么差别,我们的系统最好部署在什么服务器上呢?下面来详细分析一下. tomcat服务器: tomcat服务器占用资源少,稳定且免费.是一个轻量级的服务器,主要是应用于中小型项目 ,当并发访问的用户比较少时,可以选用tomcat服务器.tomcat服务器是运行jsp和servlet的很好的容器,但是它不支持EJB等.项目在tomc

tomcat、weblogic、jboss的区别,容器的作用

一.tomcat Tomcat 服务器是一个免费的开放源代码的Web 应用服务器,它是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache.Sun 和其他一些公司及个 人共同开发而成.由于有了Sun 的参与和支持,最新的Servlet 和JSP 规范总是能在Tomcat 中得 到体现,Tomcat 5 支持最新的Servlet 2.4 和JSP 2.0 规范.因为Tomcat 技术先进.性能稳定 ,而且免费,因而深

weblogic AND jboss 反序列化漏洞

C:\Program Files\Java\jboss-4.2.3.GA\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF server/$CONFIG/deploy/http-invoker.sar/http-invoker.war/WEB-INF/w eb.xml 文件,将标签中的 url-pattern 修改为/*,并注释掉其中的两个 http-method. 1.weblogic反序列化漏洞 通过java反序列化漏洞利用

WebLogic/WebSphere等中间件控制台语言切换

控制台中英文显示不是由中间件的设置决定的,而是取决于浏览器的设置. 1. Internet Explorer 英文切换成中文Tools -> Internet Options -> General -> Language点击 'Add' 按钮把中文添加的列表里面点击 'Move up' 或 'Move down' 按钮把中文调整的最上方重新启动浏览器 2. Firefox 中文切换成英文工具 -> 选项 -> 内容 -> 语言 -> 选择点击 '上移' 或 '下移

jenkins publish .net core application to linux server

最近学习Docker与Jenkins, 网上大部分都是关于Jenkins+Git+Docker进行持续远程部署, 我一直在考虑为什么Jenkins和Docker要绑定一块使用, 因为我想单独使用Jenkins进行本地构建然后远程部署, 那么这就开始行动. 准备Linux服务器 我在Azure创建了一台CentOS7服务器, 开放22端口供SSH使用, 并且开放了5000和5001端口. 安装DotNet Core 基于微软官方文档, SSH到服务器使用如下命令安装: sudo rpm -Uvh

jenkins publish .net core application to linux server in docker

上一个Demo进行了单独的Jenkins远程部署, 本Demo将使用流行的Jenkins+Git+Docker进行持续部署. 准备Linux服务器 和上一篇Demo一样, 在Azure创建一台CentOS7服务器, 开放22端口供SSH使用, 并且开放了5000和5001端口. 安装DotNet Core 基于微软官方文档, SSH到服务器使用如下命令安装: sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages