from Hacker News

A vulnerability in WebLogic, WebSphere, JBoss, Jenkins, OpenNMS and others

by sprkyco on 11/6/15, 7:19 PM with 24 comments

  • by kohsuke on 11/7/15, 1:57 AM

    I'm from the Jenkins project.

    I wish the authors of this post gave us a heads up beforehand. It put our users at unnecessary risk.

    At Jenkins project, We've published a mitigation script (https://jenkins-ci.org/content/mitigating-unauthenticated-re...) while we work out a better fix for users.

  • by sprkyco on 11/6/15, 11:04 PM

    One thing I really liked about the write-up is the thoroughness that everything was explained. Nothing was assumed. The author explains what burp is why it was used. Broke down the basics in a high level and the touched on the simple things. Showed exploits in multiple frameworks. Really a well done article just from a write-up perspective let alone the impact of the issue.

  • by devonkim on 11/6/15, 11:37 PM

    Anyone actually have a CVE I can reference in talks to leadership so I can not look like a neckbeard security geek that's acting self-important?

  • by el_duderino on 11/6/15, 7:25 PM

    Kenn White said it best: "This will get very ugly: unpatched, full remote exec on Java-based web svcs that use a popular serialization library

  • by btilly on 11/6/15, 9:26 PM

    This is very similar to the series of serialization vulnerabilities that hit the Ruby on Rails world in early 2013.

    Black hats are going to have fun with this one. :-(

  • by based2 on 11/6/15, 10:14 PM

  • by TazeTSchnitzel on 11/6/15, 8:48 PM

    The first thing I thought was "written in Java". The more straightforward headline would have been better, I think.

  • by pythonistic on 11/6/15, 9:19 PM

    I had to backport a fix for a similar vulnerability in a Seam installation three years ago. The solution at the time was to limit the directories and sources from which serialized object representations could be read.