Oracle has released its first Critical Patch Update of 2017, the largest Java CPU in more than a year. Other quick facts:
- This quarter’s CPU has more than double the number of Java CVEs compared to Q4 2016
- Sixteen (16) of this quarter’s Java CVE’s are remotely exploitable without authentication
- The maximum CVSS score is 9.6 out of 10 which is effectively a complete and total compromise of a target system
One of the patched CVEs is especially serious as it is a deserialization vulnerability inside the core Java RMI (Remote Method Invocation) APIs. This Java vulnerability has a CVSS score 9.0 which means that its complexity is low and, as a result, its exploitability is high.
Deserialization vulnerabilities are one of the greatest nightmares for App Sec professionals, and there have been an almost endless list of high-profile attacks over the last several years against major enterprise applications using deserialization vulnerabilities. The most recent high-profile deserialization attack late last year was the San Francisco MUNI attack which was executed via another deserialization vulnerability very similar to this one.
Security professionals and application owners need to be very worried about this vulnerability. To put the seriousness of this vulnerability into perspective: virtually every Java app today running on a server which provides RMI is exploitable by this vulnerability, and because the exploitability is not difficult for a programmer with basic Java knowledge, it is virtually certain that we will see real exploits in-the-wild against this vulnerability in the weeks and months ahead.
Furthermore, given that so many organizations and applications struggle to stay anywhere near current with the Java CPU patch cycle, it is a virtual certain that this vulnerability will be successfully exploitable and exploited for many years to come against legacy applications that either have not, or cannot, be patched or upgraded.
The fix that has been provided in this Java CPU is the addition of a user-configurable whitelist/blacklist filter into the Java serialization API. This is problematic for several reasons:
- Any heuristic security technique based on whitelists/blacklists almost always requires intricate manual configuration and tuning to operate correctly
- Anything requiring manual human configuration and tuning requires special domain-specific and app-specific knowledge to configure, is expensive to test and validate, and prone to mistakes and human errors
- Incomplete or incorrect configuration/tuning virtually guarantees false-positive results which will break application operation and service
- Most security professionals know nothing about the serialization mechanics or dependencies of the applications they are tasked with securing, making the job of configuring whitelists/blacklist virtually impossible.
Using whitelists/blacklists for deserialization vulnerabilities is really outdated these days. Today’s ‘state-of-the-art’ protection for deserialization vulnerabilities in the RASP community is to entirely avoid any form of whitelists, blacklists or heuristics because they just don’t work reliably. It is surprising to see such dated heuristic/filtering techniques being used for major deserialization vulnerabilities in the core Java APIs when the leading RASP technologies have abandoned heuristic protection techniques several years ago.
Waratek customers are protected against deserialization attacks with the standard deserialization rule that is part of the out-of-the-box protections in the company’s runtime application security platform. Waratek uses a proprietary Smart Compartment to safely process deserialization without relying on black or white lists. Read more about our approach or request a free trial.
Author:
John Matthew Holt, CTO and Co-Founder is the inventive inspiration and technical driving force behind Waratek’s groundbreaking research and development into distributed computing and virtualization technologies, which has led to the granting of over 50 patents to date with many more pending.
As CTO, John Matthew leads a multinational team of expert computer engineers on a journey that has resulted in the creation of a disruptive new approach to web security that allows organisations to protect their Java applications and data from SQL Injection, targeted attacks and unpatched vulnerabilities at runtime, without making any code changes or deploying any hardware.