This was brought to the attention of our IT security team today:
A scan of servers for the Apache Commons Collections classes found that all of the webMethods products have this file in their directory and load it into their classpath.
We have disabled the 9999 default diagnostic ports internally, these were never exposed through our firewall, because of our suspicion of the JMX implementation in services allowed on this port and the probability of them using Objects and serialization. We have not monitored traffic to confirm the presence of serialized Objects yet, this was done out of caution.
However, it is impossible to tell if services under the wm.server namespace allow serialized Objects as input. You cannot see the input signatures in IS administrator or designer, or at least I don’t know a way.
Does anyone know or have you heard what services, if exposed externally would create a vulnerability for integration server? IS is using the vulnerable library, it just depends on the implementation of the built-in services now and port access to determine whether your servers are vulnerable.