alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Java vulnerability caused by unpatched open source library

News roundup: WebSphere, JBoss, Jenkins and more hit by Java vulnerability in an open source library. Plus, SAP HANA deals with critical vulnerabilities, and more.

It's been a tough week for vendors and developers using the Apache Commons open source library, as a Java vulnerability reported early this year was still wide open as recently as this week, affecting perhaps thousands of Java apps, including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.

Java vulnerabilities in the Apache Commons Collection open source library used by thousands of commercial and custom applications were reported by FoxGlove Security last week, and FoxGlove's principal consultant Stephen Breen posted remote code execution exploits for WebSphere, JBoss, Jenkins, WebLogic and OpenNMS. The vulnerabilities were notable for being incorporated in so many widely-used commercial products that use the Apache Commons, as well as for the fact that "proof of concept code was released over nine months ago," according to Breen.

The vulnerability was originally presented at a conference in January 2015, by Chris Frohoff and Gabriel Lawrence, but the vulnerability has gone unpatched by most vendors using the library until this week. According to Frohoff's statement on his proof-of-concept GitHub page, "It should be noted that the vulnerability lies in the application performing unsafe deserialization," which explains why the library maintainers felt no urgency to patch their own code. Breen reported that he found 1,300 applications posted on GitHub using the vulnerable commons-collection library.

The reason it's taken so long to address the vulnerability is in the way the libraries are used; programmers use the open source library to serialize and deserialize data -- converting a data object into binary format for storage or communication (serialize) or from binary format to usable form (deserialize). If authentication is not done before the deserialized data is used in the application,  the application will be vulnerable to remote code execution attacks.

In a statement posted this week on the Java vulnerability, Apache Commons' Bernd Eckenfels, committer, and Gary Gregory, vice president, pointed out that the research results "show that developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication." They go on to conclude that "replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability."

In other words, the flaw is with the way the library is used to code the applications, rather than with the library itself. Oracle has already issued a security alert for WebLogic, CVE-2015-4852, in which they recommend mitigations and note that patches for this vulnerability are on the way.

Good news department

It's not all bad news, though, as the bad guys show themselves to be as prone to baffling human errors as anyone. Bitdefender Labs reported that the developers of the newest Linux server ransomware failed by choosing easily-guessed encryption keys by using the system date -- making it trivial for defenders to derive the keys.

Out of Iran, the Rocket Kitten cyberespionage team demonstrated their own brand of hubris by leaving their phishing web server's PHP development environment (XAMPP) interface wide open, allowing root logins without any password, reports Check Point Software. As a result, the team identified the Rocket Kitten team leader, "Wool3n.H4T," as the Tehran-based Yaser Balaghi. Also exposed was a list of the group's targets, providing yet more evidence and data for further analysis of the threat.

In other news:

  • The Safe Harbor decision is reverberating; despite reports that the EU expects a new deal with the US in the next three months, Amazon and Microsoft are already building data centers in EU to render the issue moot, for now. Amazon CTO Werner Vogels blogged about adding a UK AWS region, writing that "This region will provide even lower latency and strong data sovereignty to local users." The UK AWS region is expected to come on line by 2017. Microsoft CEO Satya Nadella was reported to say that Microsoft would be expanding its EU data centers, including building a UK data center, in 2016. Microsoft Europe also announced that they would be delivering Microsoft Cloud services from two data centers located in Germany.  "Our new datacenter regions in Germany, operated in partnership with Deutsche Telekom, will not only spur local innovation and growth, but offer customers choice and trust in how their data is handled and where it is stored," Nadella stated.
  • In a move sure to satisfy all critics, Obama intends to nominate the current acting director of the Office of Personnel Management, Beth Cobert, as the new director of OPM. According to the press release, President Obama said "Beth will bring tremendous depth and quality of experience to her role as Director of the Office of Personnel Management. As Acting Director, Beth has effectively pursued strategies to strengthen cybersecurity and improve the way the government serves citizens, businesses, and the federal workforce both past and present. I thank Beth for her commitment to serving the American people and look forward to working with her in the months ahead." According to the White House press release, "Beth Cobert is Acting Director of the Office of Personnel Management, a position she has held since July 2015. She also serves as Deputy Director for Management in the Office of Management and Budget, a position she has held since 2013. Ms. Cobert previously served in various capacities at McKinsey & Company from 1984 to 2013, including as Director and Senior Partner."
  • OPM has given the Department of Homeland Security the green light to hire 1,000 cyber professionals between now and June 30, 2016. OPM published a notice in the Federal Register this week, under which the DHS is authorized to hire up to 1,000 positions "to perform cyber risk and strategic analysis, incident handling and malware/vulnerability analysis, program management, distributed control systems security, cyber incident response, cyber exercise facilitation and management, cyber vulnerability detection and assessment, network and systems engineering, enterprise architecture, intelligence analysis, investigation, investigative analysis and cyber-related infrastructure interdependency analysis requiring unique qualifications currently not established by OPM. Positions will be at the General Schedule (GS) grade levels 09-15."
  • Microsoft, hit by complaints over its November Patch Tuesday patches that crashed Outlook 2010 and Outlook 2013, re-issued the patch for MS15-115, noting that the bulletin had been "revised to inform customers running Windows 7 that the 3097877 update has been re-released to address an issue that caused crashes for some customers when they viewed certain emails. Customers who previously installed update 3097877 should reinstall the update to correct this known issue."
  • While Dell channel partners may be "excited" about the pending acquisition of EMC, a heavy tax bill could be the death of the deal. Re/code reported that "sources familiar with the matter" say that "Dell insiders" are worried a tax bill of as much as $9 billion could be due if the deal goes through as is. The tax burden depends on whether regulatory review determines the tax burden of Dell's scheme to finance its purchase of EMC by selling part of the company it is buying (VMware).
  • As 21 vulnerabilities, including 8 rated "critical," were reported in the SAP HANA platform by security firm Onapsis, SAP had already remediated those vulnerabilities in its October patch release cycle, according to Gary Prewett, security and compliance practice lead at SAP. Prewett wrote: "The highest vulnerability issue is a remotely exploitable buffer overflow that can be performed without authentication -- addressed specifically in note 2197428 (which has a CVSS of 9.3 -- about as high risk as it gets). This is a dangerous vulnerability that should be patched in all systems as soon as feasible."
  • According to the research reported by CyberArk Labs, 88% of networks can be compromised through credential theft/reuse. They report: "On average, 40% of the Windows hosts on a given network, if compromised, would provide an attacker credentials that would facilitate complete compromise of the vast majority of the other Windows hosts on that network -- whether directly or through a series of compromises."

Next Steps

Learn how to use the OWASP Top Ten to reduce web application vulnerabilities.

Find out more about how to work securely with open source libraries.

Understand the purpose of serialization and deserialization in Java.

Dig Deeper on Web application and API security best practices