cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

In late August 2017 Redhat have published a security advisory regarding an arbitrary code execution vulnerability in JBoss and recently a Proof of Concept exploit was publicly released. This vulnerability is added to the long list of unsafe deserialization vulnerabilities discovered this year.

The vulnerable code is part of the HTTP Invoker service that provides HTTP and Remote Method Invocation (RMI) access. This service was first introduced in JBoss Application Server version 3.0.3 (which was released in September 2002) and is installed by default on instances based on versions prior to 7.0.0.

0151T000003d77xQAA.png

Figure 1: invoker.war package pre-installed on JBoss Application Server 5.

The unsafe deserialization takes place in the ReadOnlyAccessFilter.java file which receives a request object and calls readObject on the POST data sent by the user without doing any validations on the user supplied input. This provides attackers the possibility to send a crafted serialized object to the server that once deserialized will trigger arbitrary code execution in the context of the user running the vulnerable JBoss server.

0151T000003d77yQAA.png

Figure 2: User supplied input is being deserialized without any validations being made on it.

0151T000003d77zQAA.png

Figure 3: Part of the POST request sent by the Proof-of-Concept exploit.

Mitigation Using BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection and command execution attack signatures which can be found in signature sets that include “Command Execution” and “Server Side Code Injection” attack types or “Java Servlets/JSP” System.

0151T000003d780QAA.png

Figure 4: Exploit blocked with Attack Signature (200003437)

0151T000003d781QAA.png

Figure 5: Exploit blocked with Attack Signature (200003057)

0151T000003d782QAA.PNG

Figure 6: Exploit blocked with Attack Signature (200004297)

0151T000003d783QAA.png

Figure 7: Exploit blocked with Attack Signature (200004298)

0151T000003d784QAA.PNG

Figure 8: Exploit blocked with Attack Signature (200004299)

Version history
Last update:
‎31-Dec-2017 08:09
Updated by:
Contributors