Java's object serialization feature allows for remote code execution with exploits based on the widely used Java library "commons-collections" or other classes [3]. The core of the problem is the acceptance of unvalidated user input as object data which is then deserialized into objects. Serialized Java objects are used in the Java RMI protocol or custom applications transferring data using object serialization. Depending on application design, serialized Java objects may also be transmitted in HTTP parameters or headers, putting public web applications at risk.
Airlock WAF, Airlock WAF Add-ons, Airlock Login and Airlock IAM are not affected by the described vulnerability, because Java's object serialization features are not used on externally-provided input data.
Completely eliminating the vulnerability in all applications may take some time. However, there are a couple of central protection measures that immediately mitigate the risk of being exploited remotely, such as deploying a virtual patch on Airlock WAF.
1. Deploy Virtual Patches on Airlock WAF Define a custom Deny Rule on Airlock WAF to protect back-end applications. The filter given below blocks serialized Java objects transferred from web clients to back-ends.
2. Use Upstream Authentication Protect public access to your applications using upstream authentication, e.g., using Airlock Login. Hence, vulnerable applications will no longer be exposed to anonymous users on the Internet. |
3. Remove Vulnerable Classes from Classpath To protect against the exploits in [2], identify the commons-collections jar files on application classpaths and remove the classes - InvokerTransformer As jar files are actually zip files, this can be done using any archiving tool supporting zip. Note, however, that other classes may be leveraged for similar attacks [3]. 4. Apply Input Validation Of course, disabling object serialization is the safest way to go. If your application must use object serialization, apply input validation before deserializing objects, e.g., by whitelisting acceptable objects.
|
[1] Zero-Day-Alarm für viele Server mit Java (heise.de)
[3] More serialization hacks with AnnotationInvocationHandler (coekaerts.be)