Monday 9 November 2015

Do you deserialize Java objects? Jenkins zero day and vunls in WebLogic, WebSphere, JBoss, OpenNMS and Appache commons

Last week the What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? vulnerability research was published and it included a number of quite worrying exploits on Java apps, more specifically on apps that use the Apache commons library (update: it looks like this is not a vuln in Apache commons, but in how it is used).

This is following up the Java Deserialization research published earlier this year on Marshalling Pickles and Exploiting Deserialization Vulnerabilities in Java (which is a variation of the XStream/XMLDecoder vulns/research I was involved in 2013)

It also looks like the Jenkins issue mentioned in the latest research doc is a zero-day on Jenkins: Mitigating unauthenticated remote code execution 0-day in Jenkins CLI

Since this is a vulnerability that allows RCE (Remote Code Execution), it is really important to understand the internal/external exposure to java deserialization, Jenkins and apache commons usage.

Monday 2 November 2015

Four amazing years and good luck TM 4.0

After working very hard on multiple versions of TeamMentor (TM 2.0, 3.0, 3.5 and 4.0), the time has finally come for me to let TM go, and move my Application Security efforts in other directions.

The last 4 years at SI have been an amazing experience and I've learned a lot.

Not only I increased my development skills (.NET, Java, Eclipse, Node, Javascript), I finally understood what TDD is all about and where security fits within the SDLC.

I really want to thank Ed and Jason for the opportunity, and the amazing worldwide TM development team (Serge, Michael, Lucy, Roman, Salle) for making TM 4.0 a reality.

I'm sure mine and SI paths will meet again. In fact I'm still contributing a couple bug fixes to TM, so I'm still around :)

Good luck to SI and all the team

PS: In case you are curious, I'm now helping UK companies to set up their Application Security Programmes (i.e. I'm a part-time 'Head of Application Security')