Apache Commons Collections Vulnerability is Integration Server Exploitable?

zhodge.101659 · November 12, 2015, 10:54pm

Hello,

This was brought to the attention of our IT security team today:

[url]http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/[/url]

A scan of servers for the Apache Commons Collections classes found that all of the webMethods products have this file in their directory and load it into their classpath.

We have disabled the 9999 default diagnostic ports internally, these were never exposed through our firewall, because of our suspicion of the JMX implementation in services allowed on this port and the probability of them using Objects and serialization. We have not monitored traffic to confirm the presence of serialized Objects yet, this was done out of caution.

However, it is impossible to tell if services under the wm.server namespace allow serialized Objects as input. You cannot see the input signatures in IS administrator or designer, or at least I don’t know a way.

Does anyone know or have you heard what services, if exposed externally would create a vulnerability for integration server? IS is using the vulnerable library, it just depends on the implementation of the built-in services now and port access to determine whether your servers are vulnerable.

Thanks,
Zach

Mahesh_K_Sreenivas · November 12, 2015, 11:03pm

I think raising an support incident will provide you more details and clarifications.

Rohit_Gupta8 · November 19, 2015, 3:48am

We are also analysing our Infrastructure to check for this library. Can you please share the path where you found this library

We have raised support incident for SAG to guide us !!

Holger_von_Thomsen · November 19, 2015, 11:17am

Hi,

the jar-file is located under common/lib/ext/commons-collections.jar.

This jar is part of some SharedComponents- (SCG) or ThirdParty-Fixes (TPL/TPS).

I dont think that disabling the Diagnostics Port will help here.
Additionally by disabling the Diagnostics Port you reduce the possibility to generate diagnostics data when needed for analysing a support incident.

If your are looking for the signatures of the wm.server services you can set a watt-property in IS to show the contents of the WmRoot-Package (hideWmRoot=false). Use this only on non-productive environments and be aware that these services can change without notice as they are meant to be used only internally by IS.
After setting the mentioned property the services will be visible in Designer, but only the signature.

Please open an idea (feature request) on Brainstorm to get the vulnerable jar replaced by a corrected version.

Regards,
Holger