TechEcho

8 comments

kohsukeover 9 years ago

I'm from the Jenkins project.I wish the authors of this post gave us a heads up beforehand. It put our users at unnecessary risk.At Jenkins project, We've published a mitigation script (<a href="https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli" rel="nofollow">https://jenkins-ci.org/content/mitigating-unauthenticated-re...</a>) while we work out a better fix for users.

评论 #10528847 未加载

评论 #10527506 未加载

sprkycoover 9 years ago

One thing I really liked about the write-up is the thoroughness that everything was explained. Nothing was assumed. The author explains what burp is why it was used. Broke down the basics in a high level and the touched on the simple things. Showed exploits in multiple frameworks. Really a well done article just from a write-up perspective let alone the impact of the issue.

devonkimover 9 years ago

Anyone actually have a CVE I can reference in talks to leadership so I can not look like a neckbeard security geek that's acting self-important?

评论 #10528859 未加载

评论 #10550802 未加载

el_duderinoover 9 years ago

Kenn White said it best: "This will get very ugly: unpatched, full remote exec on Java-based web svcs that use a popular serialization library

评论 #10523027 未加载

btillyover 9 years ago

This is very similar to the series of serialization vulnerabilities that hit the Ruby on Rails world in early 2013.Black hats are going to have fun with this one. :-(

based2over 9 years ago

<a href="https://www.reddit.com/r/netsec/comments/3rrr9z/what_do_weblogic_websphere_jboss_jenkins_opennms/" rel="nofollow">https://www.reddit.com/r/netsec/comments/3rrr9z/what_do_webl...</a><a href="http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3C20151106222553.00002c57.ecki%40zusammenkunft.net%3E" rel="nofollow">http://mail-archives.apache.org/mod_mbox/commons-dev/201511....</a><a href="https://www.owasp.org/index.php/Information_leak_through_serialization" rel="nofollow">https://www.owasp.org/index.php/Information_leak_through_ser...</a>

TazeTSchnitzelover 9 years ago

The first thing I thought was "written in Java". The more straightforward headline would have been better, I think.

评论 #10522160 未加载

评论 #10522534 未加载

pythonisticover 9 years ago

I had to backport a fix for a similar vulnerability in a Seam installation three years ago. The solution at the time was to limit the directories and sources from which serialized object representations could be read.

8 comments

kohsukeover 9 years ago

评论 #10528847 未加载

评论 #10527506 未加载

sprkycoover 9 years ago

devonkimover 9 years ago

Anyone actually have a CVE I can reference in talks to leadership so I can not look like a neckbeard security geek that's acting self-important?

评论 #10528859 未加载

评论 #10550802 未加载

el_duderinoover 9 years ago

Kenn White said it best: "This will get very ugly: unpatched, full remote exec on Java-based web svcs that use a popular serialization library

评论 #10523027 未加载

btillyover 9 years ago

This is very similar to the series of serialization vulnerabilities that hit the Ruby on Rails world in early 2013.Black hats are going to have fun with this one. :-(

based2over 9 years ago

TazeTSchnitzelover 9 years ago

The first thing I thought was "written in Java". The more straightforward headline would have been better, I think.

评论 #10522160 未加载

评论 #10522534 未加载

pythonisticover 9 years ago

A vulnerability in WebLogic, WebSphere, JBoss, Jenkins, OpenNMS and others

8 comments

A vulnerability in WebLogic, WebSphere, JBoss, Jenkins, OpenNMS and others

8 comments