News Feature | November 19, 2015

Fix For Unnamed Java Vulnerability Could Be More Challenging Than Heartbleed

Christine Kern

By Christine Kern, contributing writer

Fix For Unnamed Java Vulnerability Could Be More Challenging Than Heartbleed

By Christine Kern, contributing writer

A vulnerability originating from a commonly used Java library could be “the most underrated, under hyped vulnerability of 2015,” according to Steve Breen, principal consultant for NTT Com Security.

In a Foxglove Security blog post Breen says that the vulnerability was first discovered more than nine months ago, and no patch is available. According to NTT Com, the unnamed vulnerability is “built into a broad range of commercial and custom software across global networks and will be difficult to isolate and neutralize.”

Gabriel Lawrence, leader of Qualcomm’s application security team, and Qualcomm cybersecurity engineer Chris Frohoff first reported the vulnerability during a presentation at the AppSecCali 2015 security conference in January.

ADT Magazine explains that the vulnerability is found in the Apache Commons library, which is a popular repository of reusable Java components and workspace for component development, and it “continues to put thousands of Java applications and servers at risk of a remote code execution attack.”  The flaw allows the exploitation of a deserialization vulnerability in the repository — and could allow hackers to send malicious objects to be deserialized, and it could be exploited over a network without a username and password.

NTT Com describes the impact of the Java vulnerability “worse than the recent ‘Heartbleed’ vulnerability,” and says that it will be more challenging to fix.  Exploits have already been identified in WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS networking software packages.  These application servers are used to deploy distributed enterprise applications, placing many Java-based applications at risk.

“It would be difficult to overstate the magnitude of this problem,” stated Christopher Camejo, director of threat and vulnerability analysis at NTT Com Security.  “The core issue arises from architectural decisions that are very common in the Java world. This leaves many web servers and custom Java applications vulnerable to attack.”

Apache Commons VP Gary Gregory and project committer Bernd Eckenfels asserted in a blog post: “The best protection against this is to avoid using a complex serialization protocol with untrusted peers.”

 The Apache Software Foundation is currently working on a fix for the vulnerability.