SlideShare une entreprise Scribd logo

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)

Télécharger en tant que PPT, PDF
Steve Poole
Steve Poole

Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.

Logiciels
1  sur  61
@spoole167 Anatomy of Java Vulnerabilities Steve Poole @spoole167 www.ibm.com
@spoole167 About me Steve Poole IBM Lead Engineer / Developer advocate @spoole167 Making Java Real Since Version 0.9 Open Source Advocate DevOps Practitioner (whatever that means!) Driving Change
@spoole167 The scary Stuff looks like this The scary Stuff looks like this This talk is a technical horror story The Technical Stuff looks like this The scary Stuff looks like this https://www.flickr.com/photos/koolmann/
@spoole167 What is a Vulnerability?What is a Vulnerability?
@spoole167 What is a vulnerability? “A vulnerability is a bug which can be exploited by an attacker” Exploits can attack your availability Bringing your system down by making it crash Making your system unresponsive though excessive memory / CPU / network usage Exploits can reduce Integrity Modification of application data Arbitrary code execution Exploits can breech confidentiality Privilege elevation Exposure of sensitive information
@spoole167 Why should you care?Why should you care?
https://www.flickr.com/photos/koolmann/ Cybercrime realities
https://www.flickr.com/photos/stignygaard/ Do you think cybercriminals are lone hackers?
Organized Cybercrime is the most profitable type of crime • In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year • In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2100 Billion Dollars by 2019?
@spoole167 A simple example of a vulnerability A simple example of a vulnerability
@spoole167 Java Vulnerability example In a version of a java communications library a long time ago. A Properties object which mapped labels to classnames “decode” = “org.foo.decoder.Decoder” When the class couldn’t be instantiated an exception was returned “Cannot instantiate ‘decoder’ class ‘org.foo.decoder.Decoder’”
@spoole167 Unfortunately When retrieving the label if it wasn’t found in the Properties object then the library looked in the System Properties object. The result? A remote attacker could systematically retrieve the value of every System Property. “Cannot instantiate ’user.home’ class ‘/Users/joe’”
So who are the bad guys? https://www.flickr.com/photos/monsieurlui/
A mirror of you? • Organized and methodical • organized like startup companies. • “employ” highly experienced developers with deep knowledge • Constantly innovating malware, seeking out vulnerabilities • Sharing what they find with each other (for $ of course) • Goal focused • the average age of a cybercriminal is 35 years old.
Who’s being targeted? • Middle level executives – afraid of their bosses? • New joiners – easy to make a mistake? • Busy and harassed key individuals – too busy to take time to consider? • Disgruntled employees – want to hurt the company? Make some $? • And Developers – the golden goose. The bad guys prey on the weak, vulnerable and ignorant
Developers • Why ? • We know the inside story • We write the code • We have elevated privileges • We are over trusting • We use other peoples code and tools without inspection • we are ignorant of security matters The bad guys prey on the weak, vulnerable and ignorant
Don’t agree? “The bad guys prey on the weak, vulnerable and ignorant: That’s you”
Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java”
TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } } }; Ever written something like this?
We’ve all done something like that “A vulnerability is a bug which can be exploited by an attacker”
We’ve all done something like that “A vulnerability is a bug which can be exploited by an attacker” “A vulnerability is also a feature which can be exploited by an attacker”
Vulnerabilities • Bugs and design flaws in your software and the software you use. • Everyone has them. • Researchers are looking for them all the time. • So are the bad guys https://www.flickr.com/photos/electronicfrontierfoundation/
@spoole167 The process of managing vulnerabilities The process of managing vulnerabilities
@spoole167 “Common Vulnerabilities & Exposures” https://cve.mitre.org The Standard place find details about ‘CVEs’ International cyber security community effort Common naming convention and unique references. Allows you to know when a problem is resolved in something your using
@spoole167 ‘CVEs’ https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=* keywords=java serialization “12” keyword=java “1592”
@spoole167 CVE-2016- 2510 BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler. CVE-2016- 0686 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. CVE-2015- 4805 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization. keywords=java serialization (first three as of May 11th )
@spoole167 CVE-2016-0686 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. That’s all you will find about this fix
@spoole167 Common Vulnerability Scoring System Base CVSS combines several aspects into a single score Attack vector and complexity – local, remote etc. Impact – integrity, confidentiality etc. Privileges required? Represented as a base score and a CVSS vector CVSS 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) Additional temporal CVSS considers aspects that may change over time Availability of an exploit Availability of a fix IBM X-Force IBM’s security research organization Provides base and temporal CVSS scores for all published CVEs Database can be accessed via a REST API
@spoole167 Example CVSS vector CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Attack Vector: N (network) Attack Complexity: L (low) Privileges Required: N (none) User Interaction: R (required) Scope: C (changed) Confidentiality impact: H (high) Integrity impact: H (high) Availability impact: H (high) Using the CVSS v3.0 calculator Low = 0.0-3.9. Medium= 4.0-6.9 High= 7.0-8.9 Critical = 9.0-10.0 Note – assessments are based on the assumption that everyone behaves “sensibly” If you give everyone root access to a machine your mileage will differ
@spoole167 How are vulnerabilities communicated? Oracle CPU Advisory Risk Matrix IBM Java and Product Security Bulletins All IBM Security Bulletins are communicated on the PSIRT blog Can subscribe to Bulletins for specific products using My Notifications Java SDK Developer Centre
Talking about the details of a fix or flaw in public is just like tweeting your credit card # and pin So we dont
@spoole167 Oracle Critical Patch Updates Released quarterly on set dates Third Tuesday in January, April, July, and October Security releases are always odd-numbered Version numbers have gaps to allow for out-of-cycle releases E.g. 8u121, 8u131, 8u141 JDK 9 will use semantic versioning Each release contains CVE and security-in-depth fixes Security-in-depth issues are not described publicly Patches merged into OpenJDK several weeks later All Oracle software updated on the same date – not just Java
@spoole167 IBM PSIRT Process Product Security Incident Response Team Java and every other IBM products follow IBM’s PSIRT process Process and vulnerability tracking owned by a central team Each product has a PSIRT representative Each product communicates vulnerabilities to their consumers Process details are IBM Confidential Vulnerabilities must be fixed within timeframes depending on CVSS Extremely urgent issues must be fixed more quickly Out-of-cycle release if necessary
@spoole167 IBM PSIRT Process Regular quarterly security releases to ship Oracle fixes IBM-specific issues may also be fixed in these releases Version numbers have gaps to allow for out-of-cycle releases E.g. 8.0.3.0, 8.0.3.10 Aim to release as close to Oracle’s CPUs as possible Java SDK update usually within two weeks Security Bulletin published
@spoole167 How are vulnerabilities discovered? How are vulnerabilities discovered?
@spoole167 How are Java vulnerabilities discovered? Oracle/IBM internal development and testing Details and test code shared on a need to know basis Exploits never published externally Third party researchers (white hats) Issues reported discreetly Details and exploits disclosed responsibly Bad guys (black hats) Exploits published online – bad Exploits sold in secret – worse
@spoole167 What if I discover a vulnerability? Report it responsibly Oracle or OpenJDK component (e.g. HotSpot VM, AWT, Net, Plugin) Report it to Oracle IBM component (e.g. J9VM, IBM ORB, IBM JCE/JSSE) Report it to IBM What you should not do Don’t shout about it! Don’t send a mail to an OpenJDK mailing list Don’t post the details on a forum/blog Don’t sell it to the bad guys Don’t worry about apparent lack of severity – always report it
@spoole167 How are Java vulnerabilities addressed? Ideally as quickly as possible, but it depends on CVSS Impending disclosure Resources In general: Issues categorised internally Fixes targeted for a future scheduled regular security release Fixes may be deferred or brought forward if things change Extremely urgent issues may trigger an out of cycle release
@spoole167 How vulnerable is Java really?How vulnerable is Java really?
@spoole167 Java’s reputation? Little focus on security in 1990s and early 2000’s Whole IT industry, not just Java Java’s worst year was 2013 Over 160 CVE fixes – 45 in the October 2013 CPU alone Multiple zero-day vulnerabilities and out-of-cycle releases HOWEVER, the most widely publicised issues generally did not affect server-side software Huge improvement over the last four years Current levels are approximately 10 CVEs per CPU
@spoole167 Java vulnerabilities by year
@spoole167 Attack Vectors – Frequency 69% – Applet/Browser and Untrusted code 13% – Untrusted data 12% – Cryptographic issues 6% – Other
@spoole167 Vulnerability applicability High CVSS is irrelevant if the issue does not apply to you Java plugin flaws don’t apply to appserver deployments JAXP issues aren’t relevant if you don’t parse untrusted XML data Use the Oracle CPU Risk Matrix Base CVSS scores and vectors Consider the attack vector for the vulnerability Oracle Applicability notes IBM customers: if in doubt, contact IBM Support IBM Products have detailed applicability information
@spoole167 Attack VectorsAttack Vectors
@spoole167 Attack Vectors – Untrusted Code Code is able to bypass or escape the SecurityManager Sometimes incorrectly referred to as “client side” issues Affects any application which runs untrusted code under a security manager Some server applications do this! Flaw can be in any component on the classpath Partial bypass Exposure of sensitive information – e.g. system property values, heap contents Arbitrary network connections Full bypass Arbitrary code execution and access to operating system Many server deployments run as root/admin SecurityManager offers no protection against CPU DoS attacks Infinite loops Less of a problem now that unsigned applets are not permitted by default Applets are deprecated in JDK 9
@spoole167 Attack Vectors – Plugin / Web Start True “client-side” issues Affect JREs installed as the system default Exploits can be triggered remotely, usually via a browser Malicious applet or JNLP file May involve platform or browser specific components Installer/updater Windows Registry entries Browser callbacks OS Shell behaviour (command line parsing) Inappropriate privilege elevation Applets and browser plugins are deprecated in JDK 9
@spoole167 Attack Vectors – Untrusted Data A Java SE API mishandles a specific type of data XML, JPG, URLs, Fonts, JARs, Strings Issues tend to be more severe when the API is implemented natively Maliciously-crafted data can exploit the bug DoS – CPU/memory usage, crash Exposure of sensitive data – arbitrary memory access Arbitrary code execution – code injection, disabling of SecurityManager Affects any application which handles the specific data type from untrusted sources Examples A server application which allows users to upload images A server application which accepts SOAP requests A server application with an XML-based REST API
@spoole167 Attack Vectors – Cryptographic Issues Protocol flaws Many implementations affected (Java, GSKit, OpenSSL, Browsers) BEAST, POODLE, SLOTH, Logjam, Bar Mitzvah Implementation flaws Specific to Java No fancy names! Variable Impact DoS Private key exposure Decryption of encrypted data
@spoole167 Attack Vectors – Local Can only be exploited by a local user Exposure of sensitive data E.g. temp files with inappropriate permissions Code injection E.g. native code loaded from an unexpected location due to bad LIBPATH May lead to a remotely exploitable vulnerability E.g. local user plants malicious code which can be executed remotely Usually low CVSS due to the access required
@spoole167 Deserialization Vulnerabilities Abuse of the readObject() method of one or more classes readObject() is invoked before the data is deserialized Attackers use “gadget chains” in classes on the server’s classpath Usually a complex set of nested objects which result in a Runtime.exec() Costly to fix – servers may have multiple copies of the vulnerable code Applications are vulnerable if they: Have the vulnerable code on their classpath Accept untrusted serialized data (this is much more common that you might think!) Known for years, but came to prominence with problem in Apache Commons remote code execution Many products affected – e.g. WebLogic, WebSphere, Tomcat, JBoss, Jenkins Serialization filtering was added to the Java runtime in January 2017 JEP 290 – Filter Incoming Serialization Data Allows classes to be whitelisted
@spoole167 ExamplesExamples
@spoole167 Example vulnerability • Infinite loop in java.lang.Double.parseDouble() • Triggered by the parsing of an obscure value • 2.2250738585072012e-308 • Bug was reported in 2001 • Spent ten years in a public bug database without the impact being realised • A researcher rediscovered it, and the significance was realised • Extremely easy to exploit and inflict a DoS, for example: • Website running on a Java platform • Send HTTP requests with headers set to the bad value • Server’s worker threads are quickly tied up in infinite loops • Affected all Java releases and a huge number of deployments • Massive cost to Java Vendors and our customers to produce and apply patches • CVSS score was only 5.0! • Good example of how CVSS does not necessarily describe the impact
@spoole167 Example vulnerability • Apache Struts remote code execution • Mishandling of HTTP request header (i.e. untrusted String data) • Essentially: untrusted String data passed into Runtime.exec() with no validation (!!!) • Actual chain of events is complicated and obscure (which is why it wasn’t noticed) • Trivial to exploit • Actively exploited in the wild very quickly after patch release • Severity not clearly communicated • Easy to scan for vulnerable servers • Struts is a component in many applications • Many copies, many versions, many places • All updates have to be properly tested • => Massive task to fully patch
@spoole167 Example vulnerability – JDWP • JDWP = Java Debug Wire Protocol • Disabled by default – enabled with a command line option • JVM internals can be observed and modified remotely • No authentication required • Classes can be changed, code can be injected • Well-known online banking website • JDWP enabled on public facing servers (!!!) • Presumably JDWP was enabled in development/test… • Found by a researcher after a simple port scan • Bug bounty => ££££ • Simple fix – disable JDWP!
@spoole167 Example vulnerability Found by a third party researcher who published the details DLL side-loading vulnerability Java runtime tries to load libraries from a non-existent folder Incorrect path is used because a classpath URL is not decoded A space in the path is encoded as “%20” – C:Program%20Files... Any user on the system can create a folder with that name Allows local users to inject code into other users’ Java processes Privilege escalation if the target user has admin privileges Once the malicious code is planted, the issue can be exploited remotely via an applet or Web Start application Simple fix – decode the URL before using it as a library search path
“A vulnerability is a bug which can be exploited by an attacker” “A vulnerability is also a feature which can be exploited by an attacker”
“A vulnerability is a bug which can be exploited by an attacker” “A vulnerability is also a feature which can be exploited by an attacker” “A vulnerability is also a developer aid which can be exploited by an attacker”
@spoole167 Sum m ary
Keeping safe: it’s in your hands Keep current. Every vulnerability fix you apply is one less way in. Compartmentalise. Separate data, code, access controls etc. Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your boat. Design for intrusion. Review you levels of ‘helpfulness’ and flexibility Learn about Penetration Testing Understand that making your development life easier makes the hackers job easier
@spoole167 Reducing Risk • Keep all Java instances up to date • Don’t write custom security managers • Don’t write custom crypto code • Don’t write custom XML parsers • Use modern encryption protocols and algorithms • Be very careful with: • Untrusted data • Deserialization (including RMI and JMX) • JDWP • Runtime.exec() • Native code
@spoole167 Thank you Any Q uestions?

Recommandé

Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Alex Kosowski
 
Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!Reza Rahman
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the HorizonJosh Juneau
 
Down-to-Earth Microservices with Java EE
Down-to-Earth Microservices with Java EEDown-to-Earth Microservices with Java EE
Down-to-Earth Microservices with Java EEReza Rahman
 
Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot David Delabassee
 
EJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyEJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyDavid Delabassee
 

Recommandé

Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Alex Kosowski
 
Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!Reza Rahman
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the HorizonJosh Juneau
 
Down-to-Earth Microservices with Java EE
Down-to-Earth Microservices with Java EEDown-to-Earth Microservices with Java EE
Down-to-Earth Microservices with Java EEReza Rahman
 
Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot Java EE 8 - An instant snapshot
Java EE 8 - An instant snapshot David Delabassee
 
EJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyEJB and CDI - Alignment and Strategy
EJB and CDI - Alignment and StrategyDavid Delabassee
 
Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Hirofumi Iwasaki
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
 
MVC 1.0 / JSR 371
MVC 1.0 / JSR 371MVC 1.0 / JSR 371
MVC 1.0 / JSR 371David Delabassee
 
Testing Java EE Applications Using Arquillian
Testing Java EE Applications Using ArquillianTesting Java EE Applications Using Arquillian
Testing Java EE Applications Using ArquillianReza Rahman
 
Java EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsJava EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsMurat Yener
 
Modern web application development with java ee 7
Modern web application development with java ee 7Modern web application development with java ee 7
Modern web application development with java ee 7Shekhar Gulati
 
2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI AlignmentDavid Blevins
 
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015Edward Burns
 
What's coming in Java EE 8
What's coming in Java EE 8What's coming in Java EE 8
What's coming in Java EE 8David Delabassee
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-SideReza Rahman
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
 
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
Java EE 6 Adoption in One of the World’s Largest Online Financial SystemsJava EE 6 Adoption in One of the World’s Largest Online Financial Systems
Java EE 6 Adoption in One of the World’s Largest Online Financial SystemsArshal Ameen
 
Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Reza Rahman
 
Move from J2EE to Java EE
Move from J2EE to Java EEMove from J2EE to Java EE
Move from J2EE to Java EEHirofumi Iwasaki
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Servlet 4.0 at GeekOut 2015
Servlet 4.0 at GeekOut 2015Servlet 4.0 at GeekOut 2015
Servlet 4.0 at GeekOut 2015Edward Burns
 
Java API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateJava API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateMartin Grebac
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandDavid O'Dowd
 

Contenu connexe

Tendances

Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Hirofumi Iwasaki
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
 
Testing Java EE Applications Using Arquillian
Testing Java EE Applications Using ArquillianTesting Java EE Applications Using Arquillian
Testing Java EE Applications Using ArquillianReza Rahman
 
Java EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsJava EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsMurat Yener
 
Modern web application development with java ee 7
Modern web application development with java ee 7Modern web application development with java ee 7
Modern web application development with java ee 7Shekhar Gulati
 
2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI AlignmentDavid Blevins
 
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015Edward Burns
 
What's coming in Java EE 8
What's coming in Java EE 8What's coming in Java EE 8
What's coming in Java EE 8David Delabassee
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-SideReza Rahman
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
 
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
Java EE 6 Adoption in One of the World’s Largest Online Financial SystemsJava EE 6 Adoption in One of the World’s Largest Online Financial Systems
Java EE 6 Adoption in One of the World’s Largest Online Financial SystemsArshal Ameen
 
Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Reza Rahman
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Servlet 4.0 at GeekOut 2015
Servlet 4.0 at GeekOut 2015Servlet 4.0 at GeekOut 2015
Servlet 4.0 at GeekOut 2015Edward Burns
 
Java API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateJava API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateMartin Grebac
 

Tendances (17)

Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7Seven Points for Applying Java EE 7
Seven Points for Applying Java EE 7
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)
 
MVC 1.0 / JSR 371
MVC 1.0 / JSR 371MVC 1.0 / JSR 371
MVC 1.0 / JSR 371
 
Testing Java EE Applications Using Arquillian
Testing Java EE Applications Using ArquillianTesting Java EE Applications Using Arquillian
Testing Java EE Applications Using Arquillian
 
Java EE Revisits GoF Design Patterns
Java EE Revisits GoF Design PatternsJava EE Revisits GoF Design Patterns
Java EE Revisits GoF Design Patterns
 
Modern web application development with java ee 7
Modern web application development with java ee 7Modern web application development with java ee 7
Modern web application development with java ee 7
 
2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment
 
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
HTTP/2 comes to Java. What Servlet 4.0 means to you. DevNexus 2015
 
What's coming in Java EE 8
What's coming in Java EE 8What's coming in Java EE 8
What's coming in Java EE 8
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-Side
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
 
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
Java EE 6 Adoption in One of the World’s Largest Online Financial SystemsJava EE 6 Adoption in One of the World’s Largest Online Financial Systems
Java EE 6 Adoption in One of the World’s Largest Online Financial Systems
 
Have You Seen Java EE Lately?
Have You Seen Java EE Lately?Have You Seen Java EE Lately?
Have You Seen Java EE Lately?
 
Move from J2EE to Java EE
Move from J2EE to Java EEMove from J2EE to Java EE
Move from J2EE to Java EE
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Servlet 4.0 at GeekOut 2015
Servlet 4.0 at GeekOut 2015Servlet 4.0 at GeekOut 2015
Servlet 4.0 at GeekOut 2015
 
Java API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and updateJava API for JSON Binding - Introduction and update
Java API for JSON Binding - Introduction and update
 

Similaire à The Anatomy of Java Vulnerabilities (Devoxx UK 2017)

Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandDavid O'Dowd
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...DebasisMohanty43
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 

Similaire à The Anatomy of Java Vulnerabilities (Devoxx UK 2017) (20)

Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java Vulnerabilities
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...Software Security Engineering (Learnings from the past to fix the future) - B...
Software Security Engineering (Learnings from the past to fix the future) - B...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 

Plus de Steve Poole

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 

Plus de Steve Poole (20)

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 

Dernier

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 

Dernier (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)

  • 1. @spoole167 Anatomy of Java Vulnerabilities Steve Poole @spoole167 www.ibm.com
  • 2. @spoole167 About me Steve Poole IBM Lead Engineer / Developer advocate @spoole167 Making Java Real Since Version 0.9 Open Source Advocate DevOps Practitioner (whatever that means!) Driving Change
  • 3. @spoole167 The scary Stuff looks like this The scary Stuff looks like this This talk is a technical horror story The Technical Stuff looks like this The scary Stuff looks like this https://www.flickr.com/photos/koolmann/
  • 4. @spoole167 What is a Vulnerability?What is a Vulnerability?
  • 5. @spoole167 What is a vulnerability? “A vulnerability is a bug which can be exploited by an attacker” Exploits can attack your availability Bringing your system down by making it crash Making your system unresponsive though excessive memory / CPU / network usage Exploits can reduce Integrity Modification of application data Arbitrary code execution Exploits can breech confidentiality Privilege elevation Exposure of sensitive information
  • 6. @spoole167 Why should you care?Why should you care?
  • 9. Organized Cybercrime is the most profitable type of crime • In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year • In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2100 Billion Dollars by 2019?
  • 10. @spoole167 A simple example of a vulnerability A simple example of a vulnerability
  • 11. @spoole167 Java Vulnerability example In a version of a java communications library a long time ago. A Properties object which mapped labels to classnames “decode” = “org.foo.decoder.Decoder” When the class couldn’t be instantiated an exception was returned “Cannot instantiate ‘decoder’ class ‘org.foo.decoder.Decoder’”
  • 12. @spoole167 Unfortunately When retrieving the label if it wasn’t found in the Properties object then the library looked in the System Properties object. The result? A remote attacker could systematically retrieve the value of every System Property. “Cannot instantiate ’user.home’ class ‘/Users/joe’”
  • 13. So who are the bad guys? https://www.flickr.com/photos/monsieurlui/
  • 14. A mirror of you? • Organized and methodical • organized like startup companies. • “employ” highly experienced developers with deep knowledge • Constantly innovating malware, seeking out vulnerabilities • Sharing what they find with each other (for $ of course) • Goal focused • the average age of a cybercriminal is 35 years old.
  • 15. Who’s being targeted? • Middle level executives – afraid of their bosses? • New joiners – easy to make a mistake? • Busy and harassed key individuals – too busy to take time to consider? • Disgruntled employees – want to hurt the company? Make some $? • And Developers – the golden goose. The bad guys prey on the weak, vulnerable and ignorant
  • 16. Developers • Why ? • We know the inside story • We write the code • We have elevated privileges • We are over trusting • We use other peoples code and tools without inspection • we are ignorant of security matters The bad guys prey on the weak, vulnerable and ignorant
  • 17. Don’t agree? “The bad guys prey on the weak, vulnerable and ignorant: That’s you”
  • 18. Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java”
  • 19. TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } } }; Ever written something like this?
  • 20. We’ve all done something like that “A vulnerability is a bug which can be exploited by an attacker”
  • 21. We’ve all done something like that “A vulnerability is a bug which can be exploited by an attacker” “A vulnerability is also a feature which can be exploited by an attacker”
  • 22. Vulnerabilities • Bugs and design flaws in your software and the software you use. • Everyone has them. • Researchers are looking for them all the time. • So are the bad guys https://www.flickr.com/photos/electronicfrontierfoundation/
  • 23. @spoole167 The process of managing vulnerabilities The process of managing vulnerabilities
  • 24. @spoole167 “Common Vulnerabilities & Exposures” https://cve.mitre.org The Standard place find details about ‘CVEs’ International cyber security community effort Common naming convention and unique references. Allows you to know when a problem is resolved in something your using
  • 26. @spoole167 CVE-2016- 2510 BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler. CVE-2016- 0686 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. CVE-2015- 4805 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization. keywords=java serialization (first three as of May 11th )
  • 27. @spoole167 CVE-2016-0686 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. That’s all you will find about this fix
  • 28. @spoole167 Common Vulnerability Scoring System Base CVSS combines several aspects into a single score Attack vector and complexity – local, remote etc. Impact – integrity, confidentiality etc. Privileges required? Represented as a base score and a CVSS vector CVSS 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) Additional temporal CVSS considers aspects that may change over time Availability of an exploit Availability of a fix IBM X-Force IBM’s security research organization Provides base and temporal CVSS scores for all published CVEs Database can be accessed via a REST API
  • 29. @spoole167 Example CVSS vector CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Attack Vector: N (network) Attack Complexity: L (low) Privileges Required: N (none) User Interaction: R (required) Scope: C (changed) Confidentiality impact: H (high) Integrity impact: H (high) Availability impact: H (high) Using the CVSS v3.0 calculator Low = 0.0-3.9. Medium= 4.0-6.9 High= 7.0-8.9 Critical = 9.0-10.0 Note – assessments are based on the assumption that everyone behaves “sensibly” If you give everyone root access to a machine your mileage will differ
  • 30. @spoole167 How are vulnerabilities communicated? Oracle CPU Advisory Risk Matrix IBM Java and Product Security Bulletins All IBM Security Bulletins are communicated on the PSIRT blog Can subscribe to Bulletins for specific products using My Notifications Java SDK Developer Centre
  • 31. Talking about the details of a fix or flaw in public is just like tweeting your credit card # and pin So we dont
  • 32. @spoole167 Oracle Critical Patch Updates Released quarterly on set dates Third Tuesday in January, April, July, and October Security releases are always odd-numbered Version numbers have gaps to allow for out-of-cycle releases E.g. 8u121, 8u131, 8u141 JDK 9 will use semantic versioning Each release contains CVE and security-in-depth fixes Security-in-depth issues are not described publicly Patches merged into OpenJDK several weeks later All Oracle software updated on the same date – not just Java
  • 33. @spoole167 IBM PSIRT Process Product Security Incident Response Team Java and every other IBM products follow IBM’s PSIRT process Process and vulnerability tracking owned by a central team Each product has a PSIRT representative Each product communicates vulnerabilities to their consumers Process details are IBM Confidential Vulnerabilities must be fixed within timeframes depending on CVSS Extremely urgent issues must be fixed more quickly Out-of-cycle release if necessary
  • 34. @spoole167 IBM PSIRT Process Regular quarterly security releases to ship Oracle fixes IBM-specific issues may also be fixed in these releases Version numbers have gaps to allow for out-of-cycle releases E.g. 8.0.3.0, 8.0.3.10 Aim to release as close to Oracle’s CPUs as possible Java SDK update usually within two weeks Security Bulletin published
  • 35. @spoole167 How are vulnerabilities discovered? How are vulnerabilities discovered?
  • 36. @spoole167 How are Java vulnerabilities discovered? Oracle/IBM internal development and testing Details and test code shared on a need to know basis Exploits never published externally Third party researchers (white hats) Issues reported discreetly Details and exploits disclosed responsibly Bad guys (black hats) Exploits published online – bad Exploits sold in secret – worse
  • 37. @spoole167 What if I discover a vulnerability? Report it responsibly Oracle or OpenJDK component (e.g. HotSpot VM, AWT, Net, Plugin) Report it to Oracle IBM component (e.g. J9VM, IBM ORB, IBM JCE/JSSE) Report it to IBM What you should not do Don’t shout about it! Don’t send a mail to an OpenJDK mailing list Don’t post the details on a forum/blog Don’t sell it to the bad guys Don’t worry about apparent lack of severity – always report it
  • 38. @spoole167 How are Java vulnerabilities addressed? Ideally as quickly as possible, but it depends on CVSS Impending disclosure Resources In general: Issues categorised internally Fixes targeted for a future scheduled regular security release Fixes may be deferred or brought forward if things change Extremely urgent issues may trigger an out of cycle release
  • 39. @spoole167 How vulnerable is Java really?How vulnerable is Java really?
  • 40. @spoole167 Java’s reputation? Little focus on security in 1990s and early 2000’s Whole IT industry, not just Java Java’s worst year was 2013 Over 160 CVE fixes – 45 in the October 2013 CPU alone Multiple zero-day vulnerabilities and out-of-cycle releases HOWEVER, the most widely publicised issues generally did not affect server-side software Huge improvement over the last four years Current levels are approximately 10 CVEs per CPU
  • 42. @spoole167 Attack Vectors – Frequency 69% – Applet/Browser and Untrusted code 13% – Untrusted data 12% – Cryptographic issues 6% – Other
  • 43. @spoole167 Vulnerability applicability High CVSS is irrelevant if the issue does not apply to you Java plugin flaws don’t apply to appserver deployments JAXP issues aren’t relevant if you don’t parse untrusted XML data Use the Oracle CPU Risk Matrix Base CVSS scores and vectors Consider the attack vector for the vulnerability Oracle Applicability notes IBM customers: if in doubt, contact IBM Support IBM Products have detailed applicability information
  • 45. @spoole167 Attack Vectors – Untrusted Code Code is able to bypass or escape the SecurityManager Sometimes incorrectly referred to as “client side” issues Affects any application which runs untrusted code under a security manager Some server applications do this! Flaw can be in any component on the classpath Partial bypass Exposure of sensitive information – e.g. system property values, heap contents Arbitrary network connections Full bypass Arbitrary code execution and access to operating system Many server deployments run as root/admin SecurityManager offers no protection against CPU DoS attacks Infinite loops Less of a problem now that unsigned applets are not permitted by default Applets are deprecated in JDK 9
  • 46. @spoole167 Attack Vectors – Plugin / Web Start True “client-side” issues Affect JREs installed as the system default Exploits can be triggered remotely, usually via a browser Malicious applet or JNLP file May involve platform or browser specific components Installer/updater Windows Registry entries Browser callbacks OS Shell behaviour (command line parsing) Inappropriate privilege elevation Applets and browser plugins are deprecated in JDK 9
  • 47. @spoole167 Attack Vectors – Untrusted Data A Java SE API mishandles a specific type of data XML, JPG, URLs, Fonts, JARs, Strings Issues tend to be more severe when the API is implemented natively Maliciously-crafted data can exploit the bug DoS – CPU/memory usage, crash Exposure of sensitive data – arbitrary memory access Arbitrary code execution – code injection, disabling of SecurityManager Affects any application which handles the specific data type from untrusted sources Examples A server application which allows users to upload images A server application which accepts SOAP requests A server application with an XML-based REST API
  • 48. @spoole167 Attack Vectors – Cryptographic Issues Protocol flaws Many implementations affected (Java, GSKit, OpenSSL, Browsers) BEAST, POODLE, SLOTH, Logjam, Bar Mitzvah Implementation flaws Specific to Java No fancy names! Variable Impact DoS Private key exposure Decryption of encrypted data
  • 49. @spoole167 Attack Vectors – Local Can only be exploited by a local user Exposure of sensitive data E.g. temp files with inappropriate permissions Code injection E.g. native code loaded from an unexpected location due to bad LIBPATH May lead to a remotely exploitable vulnerability E.g. local user plants malicious code which can be executed remotely Usually low CVSS due to the access required
  • 50. @spoole167 Deserialization Vulnerabilities Abuse of the readObject() method of one or more classes readObject() is invoked before the data is deserialized Attackers use “gadget chains” in classes on the server’s classpath Usually a complex set of nested objects which result in a Runtime.exec() Costly to fix – servers may have multiple copies of the vulnerable code Applications are vulnerable if they: Have the vulnerable code on their classpath Accept untrusted serialized data (this is much more common that you might think!) Known for years, but came to prominence with problem in Apache Commons remote code execution Many products affected – e.g. WebLogic, WebSphere, Tomcat, JBoss, Jenkins Serialization filtering was added to the Java runtime in January 2017 JEP 290 – Filter Incoming Serialization Data Allows classes to be whitelisted
  • 52. @spoole167 Example vulnerability • Infinite loop in java.lang.Double.parseDouble() • Triggered by the parsing of an obscure value • 2.2250738585072012e-308 • Bug was reported in 2001 • Spent ten years in a public bug database without the impact being realised • A researcher rediscovered it, and the significance was realised • Extremely easy to exploit and inflict a DoS, for example: • Website running on a Java platform • Send HTTP requests with headers set to the bad value • Server’s worker threads are quickly tied up in infinite loops • Affected all Java releases and a huge number of deployments • Massive cost to Java Vendors and our customers to produce and apply patches • CVSS score was only 5.0! • Good example of how CVSS does not necessarily describe the impact
  • 53. @spoole167 Example vulnerability • Apache Struts remote code execution • Mishandling of HTTP request header (i.e. untrusted String data) • Essentially: untrusted String data passed into Runtime.exec() with no validation (!!!) • Actual chain of events is complicated and obscure (which is why it wasn’t noticed) • Trivial to exploit • Actively exploited in the wild very quickly after patch release • Severity not clearly communicated • Easy to scan for vulnerable servers • Struts is a component in many applications • Many copies, many versions, many places • All updates have to be properly tested • => Massive task to fully patch
  • 54. @spoole167 Example vulnerability – JDWP • JDWP = Java Debug Wire Protocol • Disabled by default – enabled with a command line option • JVM internals can be observed and modified remotely • No authentication required • Classes can be changed, code can be injected • Well-known online banking website • JDWP enabled on public facing servers (!!!) • Presumably JDWP was enabled in development/test… • Found by a researcher after a simple port scan • Bug bounty => ££££ • Simple fix – disable JDWP!
  • 55. @spoole167 Example vulnerability Found by a third party researcher who published the details DLL side-loading vulnerability Java runtime tries to load libraries from a non-existent folder Incorrect path is used because a classpath URL is not decoded A space in the path is encoded as “%20” – C:Program%20Files... Any user on the system can create a folder with that name Allows local users to inject code into other users’ Java processes Privilege escalation if the target user has admin privileges Once the malicious code is planted, the issue can be exploited remotely via an applet or Web Start application Simple fix – decode the URL before using it as a library search path
  • 56. “A vulnerability is a bug which can be exploited by an attacker” “A vulnerability is also a feature which can be exploited by an attacker”
  • 57. “A vulnerability is a bug which can be exploited by an attacker” “A vulnerability is also a feature which can be exploited by an attacker” “A vulnerability is also a developer aid which can be exploited by an attacker”
  • 59. Keeping safe: it’s in your hands Keep current. Every vulnerability fix you apply is one less way in. Compartmentalise. Separate data, code, access controls etc. Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your boat. Design for intrusion. Review you levels of ‘helpfulness’ and flexibility Learn about Penetration Testing Understand that making your development life easier makes the hackers job easier
  • 60. @spoole167 Reducing Risk • Keep all Java instances up to date • Don’t write custom security managers • Don’t write custom crypto code • Don’t write custom XML parsers • Use modern encryption protocols and algorithms • Be very careful with: • Untrusted data • Deserialization (including RMI and JMX) • JDWP • Runtime.exec() • Native code