By Clark Shishido, Akamai SIRT Security Response Engineer
Applications written in Java commonly use a call-in function from a widely deployed library to decode data passed between computers. The call is java.io.ObjectInputStream.readObject from Apache commons-collection.
An attacker can append arbitrary data to a base64 encoded serial data stream, which will then be deserialized when the data is read into a Java application. By appending malicious payloads to the stream, the attacker can execute arbitrary commands on a vulnerable server.
How it works
Instead of human readable text, many Internet applications transmit streams of data between computers to minimize connection overhead. For this reason, Java routinely converts objects and strings into a single base64 encoded stream in computer-to-computer data transfers.
Working with information disclosed in January 2015 by Chris Frohoff and Gabriel Lawrence in a talk called "Marshalling Pickles," Steve Breen of FoxGlove Security published proofs of concept, that detailed the vulnerabilities of several web application technologies written in Java.
The researchers first targeted middleware management ports with the knowledge that management protocols accept serialized data and thus were able to simply upload base64 encoded payloads to vulnerable management ports.
If your website is served by Akamai, direct access to management ports will be not be directly accepted as the Akamai network only responds on ports 80 (http), 443 (https), or 53 (dns). This does not mean a website is protected if on the Akamai platform. The attack surface is reduced but not eliminated.
As further explained by the researcher, if a website or the middleware is written in Java and accepts serialized data in http(s) requests, a web application may still be vulnerable.
All customers who depend on Java in any level of the architecture serving web traffic must still audit each Java application for the vulnerability. For example, another popular Java server, Apache Tomcat, includes the commons-collections library by default so all installations of Tomcat also need to be updated.
After the disclosure, the Apache Software Foundation posted an update for commons-collection and Tomcat, both projects which they manage. This blog post is more informative for all users of Java. In short, each and every Java application must be audited for the use of the functions provided by the Apache commons-collection library and be replaced with a newly patched version.
Oracle acknowledged that the vulnerability affects Apache Commons and Oracle WebLogic Server, saying in a bulletin, "This is a remote code execution vulnerability and is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password." The database giant released a patch to address the issue in its products.
Can WAF protect me?
The Kona WAF product does have the capability to decode base64 encoded data using one of its advanced transformation functions, however this is not part of the default KRS ruleset. The best method to address this issue is to work with the Akamai Professional Services team to implement a virtual patch/custom rule that is targeted. In this scenario, the new rule(s) would only apply the base64 decoding function and inspection for attack keywords to exact locations where your application actually accepts serialized content.
Q: If Akamai can detect the traffic, can't you deny all malicious payloads?
A: No. In order to inspect the payload, the encoded stream must be decoded before analysis. Known good traffic must first be identified before a DENY rule is put in place. Known good traffic will be very customer and application specific. This class of traffic does not fit a predictable model for templating as it is often customized application code.
How to mitigate
Audit web architectures for use of Java.
Audit for exposed management ports (some of which may be proxied or port translated by firewalls and/or load balancers).
Update Apache commons-collection for in-house java applications.
Apply vendor updates as soon as possible.
Profile known good use cases for serialized data in all java components.
After profiling known good use cases, whitelist and deny unknown incoming serialized data.