[jira] [Commented] (JUDDI-1018) CVE-2021-37578 Apache jUDDI Remote code execution

Wed, 28 Jul 2021 15:40:06 -0700 


    [ 
https://issues.apache.org/jira/browse/JUDDI-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17389104#comment-17389104
 ] 

Alex O'Ree commented on JUDDI-1018:
-----------------------------------

addressed via

[https://github.com/apache/juddi/commit/e6ae0f4ce39e73ba29ab1c2926a41ac71e68574a]

> CVE-2021-37578 Apache jUDDI Remote code execution
> -------------------------------------------------
>
>                 Key: JUDDI-1018
>                 URL: https://issues.apache.org/jira/browse/JUDDI-1018
>             Project: jUDDI
>          Issue Type: Bug
>          Components: core
>            Reporter: Alex O'Ree
>            Assignee: Alex O'Ree
>            Priority: Major
>             Fix For: 3.3.10
>
>
> Details will be populated +30 days after release
>  
> REFERENCES: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578]
> [https://juddi.apache.org/security.html]
>  
> DESCRIPTION:
> Apache jUDDI uses several classes related to Java's Remote Method Invocation 
> (RMI) which (as an extension to UDDI) provides an alternate transport for 
> accessing UDDI services.
> RMI uses the default Java serialization mechanism to pass parameters in RMI 
> invocations. A remote attacker can send a malicious serialized object to the 
> above RMI entries. The objects get deserialized without any check on the 
> incoming data. In the worst case, it may let the attacker run arbitrary code 
> remotely. 
> For both jUDDI web service applications and jUDDI clients, the usage of RMI 
> is disabled by default. Since this is an optional feature and an extension to 
> the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all 
> RMI related code was removed.
> Mitigation:
> jUDDI Clients, disable RMITransports (found in uddi.xml) and use alternate 
> transports such as HTTPS.
> jUDDI Server (juddiv3.war/WEB-INF/classes/juddiv3.xml), disable JNDI and RMI 
> settings in juddiv3.xml.
> The appropriate settings are located below in xpath style notation.
>     juddi/jndi/registration=false
>     juddi/rmi/registration=false
>  
> If the settings are not present, then JNDI and RMI are already disabled. This 
> is the default setting.
>  
>  
> Reported by Artem Smotrakov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to