Do the unserialization/deserialization exploits against the commons-collections library affect Red Hat JBoss products? (CVE-2015-7501 )

Solution Verified - Updated -

Environment

  • Red Hat JBoss A-MQ 6.x
  • Red Hat JBoss BPM Suite (BPMS) 6.x
  • Red Hat JBoss BRMS 6.x
  • Red Hat JBoss BRMS 5.x
  • Red Hat JBoss Data Grid (JDG) 6.x
  • Red Hat JBoss Data Virtualization (JDV) 6.x
  • Red Hat JBoss Data Virtualization (JDV) 5.x
  • Red Hat JBoss Enterprise Application Platform 6.x
  • Red Hat JBoss Enterprise Application Platform 5.x
  • Red Hat JBoss Enterprise Application Platform 4.3.x
  • Red Hat JBoss Fuse 6.x
  • Red Hat JBoss Fuse Service Works (FSW) 6.x
  • Red Hat JBoss Operations Network (JBoss ON) 3.x
  • Red Hat JBoss Portal 6.x
  • Red Hat JBoss SOA Platform (SOA-P) 5.x
  • Red Hat JBoss Web Server (JWS) 3.x

Issue

  • An issue was reported for the Java Object Serialization affecting the JMXInvokerServlet interface:
    http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

  • Could an unauthenticated attacker, able to access the JMXInvokerServlet, execute arbitrary code in the context of the user running the JBoss server?

  • We have received an alert from our security team on zero-day vulnerability. Does Red Hat aware about this vulnerability & workaround on this fix? If yes, please provide details.
  • Is there a remote code execution vulnerability in the commons-collections library?

  • Do CVE-2015-7501 or CVE-2015-4852 affect the JBoss Middleware Suite?

Resolution

If you cannot patch, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforeseen complications.

If you package commons-collection library in your application you may still be vulnerable, even after the forthcoming patches are applied. You'll need to make changes to the commons-collections library yourself if you package one.

This issue, as it affects the JBoss Middleware Suite, should be referred to as CVE-2015-7501. Other vendors have referred to it as CVE-2015-4852.

Root Cause

This is a multi-part flaw, with several conditions necessary to allow an exploit. For remote-code execution (RCE) from an attacker to work, the configuration must:

  • Accept untrusted serialized data
  • Allow blind deserialization of that data
  • Classes with the vulnerability must be available in the classpath

For more information about the JMXInvokerServlet specifically please see this article

Customers are encouraged to take a "defense-in-depth" approach to securing their systems. Red Hat Product Security is determining the best path forward generally for its products with regard to this vulnerability and the larger class of deserialization vulnerabilities.

More information about the issues of Java deserialization can be found in the Red Hat Security Blog. We'll also have more blogs on this topic in the near future.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments