Recently a vulnerability was documented by Foxglove Security [1] in
regards to Java object deserialization. The basis of this vulnerability
is that the Apache commons-collections library contains certain classes
that can, due to a design flaw in how deserialization is performed, used
to run remote code on a machine. While we don't use any of the
offending classes from commons-collections in EJBCA or SignServer,
merely the fact that they exist on the classpath presents a risk.
The commons-collections library is also included in most application
servers, including Oracle Weblogic [2] and JBoss.
Existing support customers has been notified and patches provided. The
next Community Edition releases will either contained patched versions
of the library or a later version where the issue has been resolved. If
you can't wait for those we recommend you follow Red Hat's
recommendation [3] and remove the vulnerable classes your self. Note
that both the commons-collections in the application server and in
EJBCA/SignServer needs to be patched.
[1]
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[2]
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31779&sh=&cmid=WWMK14064193MPP032C013
[3] https://access.redhat.com/solutions/2045023
Regards,
The PrimeKey EJBCA and SignServer Teams
PrimeKey will exhibit as partner together with Utimaco at Cartes,
November 17-19, 2015.
Take the opportunity to meet us in Paris @ Cartes Secure Connexions,
Paris Nord, Villepinte, Hall 4, Booth 4 J 078.
More information on the conference and exhibition is to be found at
www.cartes.com.
|
