cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

Recently a new vulnerability in Jackson, a popular Java library used for parsing JSON, was published and assigned CVE-2017-7525 and later extended with CVE-2017-15095.

The Jackson-databind package allows programmers to construct Java objects out of JSON documents, and as we have seen in other cases when unserializing untrusted user input and constructing an object out of it may lead to serious consequences like remote code execution.

The Jackson-databind package developers mitigated the vulnerability by creating and maintaining a blacklist of class names that may allow attackers to achieve remote code execution.

For every JSON being unserialized by Jackson-databind the constructed object class name is being checked against this list.

0151T000003d77SQAQ.png

Figure 1: Blacklisted classes as seen in the Jackson-databind source code.

0151T000003d77TQAQ.png

Figure 2: Each JSON that is being unserialized is checked against the blacklisted classes.

The Jackson liberary is also being used in the Apache Struts 2 framework and therefore a security bulletin regarding this vulnerability was published (S2-055).

Mitigating the vulnerability with BIG-IP ASM

ASM users are encouraged to add the following user defined attack signatures to detect exploitation attempts for this vulnerability:

content:"JndiRefForwardingDataSource"; nocase; re2:"/com\W*?[\.\/]\W*?mchange\W*?[\.\/]\W*?v2\W*?[\.\/]\W*?c3p0\W*?[\.\/]\W*?JndiRefForwardingDataSource/i";

content:"WrapperConnectionPoolDataSource"; nocase; re2:"/com\W*?[\.\/]\W*?mchange\W*?[\.\/]\W*?v2\W*?[\.\/]\W*?c3p0\W*?[\.\/]\W*?WrapperConnectionPoolDataSource/i

content:"InvokerTransformer"; nocase; re2:"/org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?commons\W*?[\.\/]\W*?collections4?\W*?[\.\/]\W*?functors\W*?[\.\/]\W*?InvokerTransformer/i";

 

content:"AbstractBeanFactoryPointcutAdvisor"; nocase; re2:"/org\W*?[\.\/]\W*?springframework\W*?[\.\/]\W*?aop\W*?[\.\/]\W*?support\W*?[\.\/]\W*?AbstractBeanFactoryPointcutAdvisor/i";

 

content:"InstantiateTransformer"; nocase; re2:"/org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?commons\W*?[\.\/]\W*?collections4?\W*?[\.\/]\W*?functors\W*?[\.\/]\W*?InstantiateTransformer/i";

 

content:"ConvertedClosure"; nocase; re2:"/org[\.\/]codehaus[\.\/]groovy[\.\/]runtime[\.\/]ConvertedClosure/i";

 

content:"MethodClosure"; nocase; re2:"/org\W*?[\.\/]\W*?codehaus\W*?[\.\/]\W*?groovy\W*?[\.\/]\W*?runtime\W*?[\.\/]\W*?MethodClosure/i";

 

content:"ObjectFactory"; nocase; re2:"/org\W*?[\.\/]\W*?springframework\W*?[\.\/]\W*?beans\W*?[\.\/]\W*?factory\W*?[\.\/]\W*?ObjectFactory/i";

 

content:"TemplatesImpl"; nocase; re2:"/com\W*?[\.\/]\W*?sun\W*?[\.\/]\W*?org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?xalan\W*?[\.\/]\W*?internal\W*?[\.\/]\W*?xsltc\W*?[\.\/]\W*?trax\W*?[\.\/]\W*?TemplatesImpl/i";

 

content:"TemplatesImpl"; nocase; re2:"/org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?xalan\W*?[\.\/]\W*?xsltc\W*?[\.\/]\W*?trax\W*?[\.\/]\W*?TemplatesImpl/i";

 

content:"JdbcRowSetImpl"; nocase; re2:"/com\W*?[\.\/]\W*?sun\W*?[\.\/]\W*?rowset\W*?[\.\/]\W*?JdbcRowSetImpl/i";

 

content:"FileHandler"; nocase; re2:"/java\W*?[\.\/]\W*?util\W*?[\.\/]\W*?logging\W*?[\.\/]\W*?FileHandler/i";

 

content:"UnicastRemoteObject"; nocase; re2:"/java\W*?[\.\/]\W*?rmi\W*?[\.\/]\W*?server\W*?[\.\/]\W*?UnicastRemoteObject/i";

 

content:"PropertyPathFactoryBean"; nocase; re2:"/org\W*?[\.\/]\W*?springframework\W*?[\.\/]\W*?beans\W*?[\.\/]\W*?factory\W*?[\.\/]\W*?config.PropertyPathFactoryBean/i";

 

These signatures are due to be included in the next ASU, being released early January.

Comments
Romani_2788
Historic F5 Account

The latest ASM Attack Signature file available for download at downloads.f5.com now contains Attack Signatures that protect against this vulnerability.

 

Customers should look to installing this latest ASM Attack Signature file.

 

Les_Opp_125023
Nimbostratus
Nimbostratus

Can you provide the signature ID's? I looked at the readme.txt associated with update: v11.5.5/ASM-SignatureFile_20171227_172355 and am not sure which signatures apply.

 

Remco
Nimbostratus
Nimbostratus

I would also like to know which signatures ID is should select or which signature set.

 

Romani_2788
Historic F5 Account

There is a long list of signatures that protects against this vulnerability, including -- 200004318, 200004301 and 200004313. These typically can be found in the signature sets including:

 

  • WebSphere signatures
  • Server Side Code Injection Signatures
  • Medium Accuracy Signatures

Hope this helps.

 

Version history
Last update:
‎07-Dec-2017 05:59
Updated by:
Contributors