Critical vulnerability in WebSphere Application Server (CVE-2015-7450)

Critical vulnerability in WebSphere Application Server (CVE-2015-7450)

Hi all,

as you maybe already heard, a critical vulnerability has been detected in J2EE application servers such as (WebSphere Application Server, JBoss, WebLogic …).

This security issue describes a problem that comes into play when Java code uses deserialization of objects (a fundamental feature of Java object oriented programming language):

"Java provides a mechanism, called object serialization where an object can be represented as a sequence of 
bytes that includes the object's data as well as information about the object's type and the types of data stored in the object.

After a serialized object has been written into a file, it can be read from the file and deserialized that is, the type 
information and bytes that represent the object and its data can be used to recreate the object in memory.

Most impressive is that the entire process is JVM independent, meaning an object can be serialized on one platform and 
deserialized on an entirely different platform."

The problem here is that some applications do not check if those objects are trustable. This means that an attacker that can send a matching object to the J2EE Server has a real chance to do some very bad things!

This vulnerability was reported by Steve Breen of Foxglove here and was proven to exists in the Apache Commons Components library. This library is widely used in IBM Connections (nearly all features use this library) and WebSphere Application Server in general:

Bildschirmfoto 2015-11-18 um 13.36.12

IBM provides a description and an iFix for this issue that is available for all supported WAS versions.

It seems that the iFix installs a newer version (3.2.2) of common-collections (Also possible that the iFix disables the InvokerTransformer function without installing a new version):

De-serialization of "InvokerTransformer" is disabled by default as this can be exploited for remote code execution attacks. 
To re-enable the feature the system property "org.apache.commons.collections.invokertransformer.enableDeserialization" needs to be set to "true".

IBM`s security alert has a CVSS Base Score of 9,8 out of 10. So nearly the highest risk possible.

I propose my customers to install this iFix no matter if the environment is available from Internet or not. A potential danger could also be an internal user that accesses those systems using VPN or LAN.

You should also watch for own custom code deployed on e.g. WebSphere Application Server / WebSphere Portal Server / IBM Connections if it is makes use of any old versions of common-collections library.

After installing the iFix, common-components libraries used in IBM Connections do not seem to be updated – only those of the AppServer base installation. So it is still unclear if and when IBM will update IBM Connections and WebSphere Portal specific apps to use the newer version of apache-common-components library. It may also be the case that those applications do not make use of the affected “InvolkerTransformer” feature…

Furthermore, I think it is not yet clear if other libraries are affected by this vulnerability. Many things are still unclear, so that it is highly recommended to close down Admin / SOAP Ports from Internet and restrict access to those environments to HTTPS only! Keep your network / firewall up to date!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.