Java is something that I dumped a very long time ago because of how insecure it is. It seems my lack of faith in the security of Java is well placed as a 9 month old vulnerability has reared its ugly head:
The flaw is located in Apache Commons, a library that contains a widely used set of Java components maintained by the Apache Software Foundation. The library is used by default in multiple Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.
The flaw is specifically in the Collections component of Apache Commons and stems from unsafe deserialization of Java objects. In programming languages, serialization is the process of converting data to a binary format for storing it in a file or memory, or for sending it over the network. Deserialization is the reverse of that process.
And:
The vulnerability received a new wave of exposure Friday after researchers from a company called FoxGlove Security released proof-of-concept exploits based on it for WebLogic, WebSphere, JBoss, Jenkins and OpenNMS.
In response, Oracle issued a security alert Tuesday containing temporary mitigation instructions for the WebLogic Server while the company is working on a permanent patch. The Apache Commons Collections developers have also started working on a fix.
This vulnerability has the potential to affect a lot of companies out there. So this is not trivial by any means. Neither is a fix for this which may involve the rewrite of something in the area of 1300 applications. Sucks to be the people who are responsible for that.
Like this:
Like Loading...
Related
This entry was posted on November 16, 2015 at 1:22 pm and is filed under Commentary with tags Java, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Nine Month Old Java Vulnerability Puts Those Who Run Java On Servers At Risk
Java is something that I dumped a very long time ago because of how insecure it is. It seems my lack of faith in the security of Java is well placed as a 9 month old vulnerability has reared its ugly head:
The flaw is located in Apache Commons, a library that contains a widely used set of Java components maintained by the Apache Software Foundation. The library is used by default in multiple Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.
The flaw is specifically in the Collections component of Apache Commons and stems from unsafe deserialization of Java objects. In programming languages, serialization is the process of converting data to a binary format for storing it in a file or memory, or for sending it over the network. Deserialization is the reverse of that process.
And:
The vulnerability received a new wave of exposure Friday after researchers from a company called FoxGlove Security released proof-of-concept exploits based on it for WebLogic, WebSphere, JBoss, Jenkins and OpenNMS.
In response, Oracle issued a security alert Tuesday containing temporary mitigation instructions for the WebLogic Server while the company is working on a permanent patch. The Apache Commons Collections developers have also started working on a fix.
This vulnerability has the potential to affect a lot of companies out there. So this is not trivial by any means. Neither is a fix for this which may involve the rewrite of something in the area of 1300 applications. Sucks to be the people who are responsible for that.
Share this:
Like this:
Related
This entry was posted on November 16, 2015 at 1:22 pm and is filed under Commentary with tags Java, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.