[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Cisco Security Advisory: Vulnerability in Java Deserialization Affecting Cisco Products
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Cisco Security Advisory: Vulnerability in Java Deserialization Affecting Cisco Products
- From: Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>
- Date: Wed, 9 Dec 2015 11:11:06 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Vulnerability in Java Deserialization Affecting Cisco
Products
Advisory ID: cisco-sa-20151209-java-deserialization
Revision 1.0
For Public Release: 2015 December 9 16:00 GMT
+---------------------------------------------------------------------
Summary
=======
A vulnerability in the Java deserialization used by the Apache Commons
Collections (ACC) library could allow an unauthenticated, remote attacker to
execute arbitrary code.
The vulnerability is due to insecure deserialization of user-supplied content
by the affected software. An attacker could exploit this vulnerability by
submitting crafted input to an application on a targeted system that uses the
ACC library. After the vulnerable library on the affected system deserializes
the content, the attacker could execute arbitrary code on the system, which
could be used to conduct further attacks.
On November 6, 2015, Foxglove Security Group published information about a
remote code execution vulnerability that affects multiple releases of the ACC
library. The report contains detailed proof-of-concept code for a number of
applications, including WebSphere Application Server, JBoss, Jenkins, OpenNMS,
and WebLogic. This is a remotely exploitable vulnerability that allows an
attacker to inject any malicious code or execute any commands that exist on the
server. A wide range of potential impacts includes allowing the attacker to
obtain sensitive information.
Object serialization is a technique that many programming languages use to
convert an object into a sequence of bits for transfer purposes.
Deserialization is a technique that reassembles those bits back to an object.
This vulnerability occurs in Java object serialization for network transport
and object deserialization on the receiving side.
Many applications accept serialized objects from the network without performing
input validation checks before deserializing it. Crafted serialized objects can
therefore lead to execution of arbitrary attacker code.
Although the problem itself is in the serialization and deserialization
functionality of the Java programming language, the ACC library is known to be
affected by this vulnerability. Any application or application framework could
be vulnerable if it uses the ACC library and deserializes arbitrary,
user-supplied Java serialized data.
Additional details about the vulnerability are available at the following links:
Official Vulnerability Note from CERT:
http://www.kb.cert.org/vuls/id/576313
Foxglove Security:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Apache Commons Statement:
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
Oracle Security Alert:
https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852
Cisco will release software updates that address this vulnerability. There are
no workarounds that mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWaE9BAAoJEIpI1I6i1Mx31a0QALya6VDmcGiyx3AlCzsKGISc
3NJP4PPjVFGjHQmB/+bXn1zXLZ63JgbOZuG9pLxhmJpPMxQI8jeXEHqzVmrA9cOj
u/QRGkITxQaRS50cwFJXPDOVWWCTcHLhuk83Ofih8vhC8UPBy1FGMBl5rpVLDkG9
ue8yX5ACEQ078F78dpcnJmbv1Hxu021wI+nM3pn7C/aOrJ1wSNop8KkFZ+VHzbKY
aeuMFqhal+ePx+JoIC4JMrTll/BLxjI17tKrzXas6D4zKNGSO0WxnEFjDWuPlc89
2y3DnaVc0eeAVPy3ODN6wJzuro4w69z1GrvXPkBfVe9WNKD1lMGRUPMRwnb/zjxu
DT8Ms4LDaVCLDZ01ox3BpuZIDBP1q2Xk6ToObeHUNMSDM9IuMeVOz9BtxJxO8Yp/
YfVaoqkM6Vrf5oXKUvWow0r19+ODp18JUnc8qT7Cj0b9PwtlOUqpsNE+cAzPyZh7
UBYLPm2AZypOgw4ryUf66p3l+NGLvLdA+A1u0m+YfXSrsuEFCosUeppmZMvgzEME
7TDSbOlt6yj9W/U3ioYbhLWk1D2whTyDybXz4MLaPTPxfxozyePOcthU7R/PVGrU
M0Do8nugnDXE0rYVRooF3+A/6ahoKUb9QR00O4xN4A94lfXqgc6t+180S4vavgxS
g9ZP7zYVhaDCRufDoNVI
=nsL1
-----END PGP SIGNATURE-----