The issues below are documented in a Solarwinds Case opened on February 18. I am still waiting for a fix and/or an estimated time to fix. I did talk to a person in Lehi yesterday that is going to discuss this with development and get back to me with an estimate when the issues below will be resolved.
The Java Deserialization issue is rated as critical, the Apache Flex BlazeDS XXE Injection is rated as high and Slowloris is rated as low.
I wish these security issues were handled in a consistent manner across development groups.
Last month, a very similar Java RMI issue in Virtualization Manager was fixed six days after I opened a case.
Issue details below.
|Java Deserialization Remote Code Execution||remote||rmi||10009|
This asset is running a Java RMI service that utilizes a third party library known as Apache Commons Collections. The version of this library being used by the RMI service contains a Java deserialization vulnerability that can be leveraged to execute code remotely. Serialization is a form of data transformation that makes the data suitable to transfer over the network so that it may be reassembled by the receiver into it's original form. The act of transforming the data to be sent is known as serialization. The converse of this is known as deserialization. In this case, the library in use by the RMI service does not properly validate the data that is being deserialized and ends up executing arbitrary code supplied by the attacker. In order to validate this vulnerability, the scanner sent a serialized payload that will force a vulnerable host to issue ICMP requests to the scanner so that it can know whether or not the asset is executing arbitrary code. If the scanner sees the ICMP requests in response to sending the serialized payload, the host is vulnerable. Impact: This vulnerability can be leveraged by an attacker to execute arbitrary code on the asset which could result in complete compromise of the underlying system running the Java RMI
If the Java RMI service is not required for business purposes, it should be disabled. If the RMI service is running as part of third party software installed on this asset, please contact the vendor for a patched version of the software or to determine when this issue will be resolved.
Apache Flex BlazeDS XXE Injection - remote - http 443, 80, 8080, and 8443 TCP
Vulnerability Details 118600
This asset is running software that is utilizing the Apache Flex BlazeDS library to process the Action Message Format (AMF) protocol. This library is vulnerable to an XML external entities attack due to the fact that the XML parser implementation does not disallow the processing of DTDs (Document Type Declarations) in it's default configuration. Impact: A remote, unauthenticated attacker may be able to use this vulnerability to retrieve arbitrary files from the filesystem or create a denial of service condition.
Upgrade to the latest version of the software to remediate this vulnerability.
Slowloris Resource Depletion And Denial Of Service
This host is running a web server that appears to utilize a configuration which allows a single remote host to consume all connection resources. The slowloris denial of service is achieved by systematically establishing and maintaining connections through partial header requests and http keepalive messages. The attacker can continue this methodology until all web server connections are tied up, resulting in a complete denial of service to legitimate users. Web servers that utilize threading are more susceptible to a slowloris attack. In contrast to other web server denial of service techniques, this attack only requires a tiny amount of bandwidth and a single host IP address.
This attack can be mitigated by; 1) limiting the number of inactive concurrent web server connections a single user may be allowed to maintain, or 2) setting a minimum threshold of data per second a web server connection is allowed to maintain without being dropped. Examples of applicable apache modules useful for implementing suggested remediation include: mod_reqtimeout -
http://sourceforge.net/projects/mod-qos/ mod_cband -
http://cband.linux.pl mod_limitpconn -
http://dominia.org/djao/limitipconn.html mod_evasive -
http://www.networkdweebs.com/stuff/security.html mod_security -
http://www.modsecurity.org/ mod_antiloris -
Additional third party modules may also be available. Please contact the vendor for additional information.