Apache Geronimo Remote Code Execute Vulnerability

简介：

Apache Geronimo 是 Apache 软件基金会的开放源码J2EE服务器，它集成了众多先进技术和设计理念。 这些技术和理念大多源自独立的项目，配置和部署模型也各不相同。

Geronimo能将这些项目和方法的配置及部署完全整合到一个统一、易用的模型中。

漏洞：

这个Geronimo 其实存在很多的反序列化，默认类似tomcat Manager也有，也可以利用弱口令等部署war包，我在测试的过程中发现默认启动了JAVA RMI，并且使用了commons-collections，

commons-collections低版本存在反序列化漏洞。

 ./repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar matches

但是漏洞利用会有一些小坑，具体感兴趣的同学可以自行测试，漏洞payload我也不放出来了。申请CVE的时候和Mark沟通，等了好久，

最后告诉我这个他们内部投票已经准备放弃了。

Mark的回复：

Hi jianan!

Yes, indeed Kevan is right.

The Apache Geronimo Community has recently voted to end support for the Geronimo Server part as Kevan has pointed out.
And yes, we so far failed to reflect this fact on our page.
I will try to address this immediately.

I hope that you understand our situation!

Note that any RMI communication is usually done on a custom port > 1024.
So those ports are usually blocked by a firewall anyway.
Which means that IF a company has any issues by that then they will likely have far more problems than 'just' a RMI injection.

txs and LieGrue,
strub



> Am 19.12.2017 um 00:23 schrieb Kevan Miller <kevan.miller@gmail.com>:
>
> Hi Jianan,
> I'm not certain why the PMC has failed to respond to you. Perhaps your messages are not being properly moderated onto the PMC's mailing list?
>
> I believe their response would be as follows:
>
> The Geronimo Server distribution is no longer supported. The community vote thread that decided this is:
>
> https://lists.apache.org/thread.html/7d8159f186eb58f253cfdbe71a7da6a420d6d85565bba01c731d8d0f@%3Cdev.geronimo.apache.org%3E
>
> Unfortunately, the results of this vote are not properly noted on http://geronimo.apache.org/
>
> kevan