How to implement remote code protection

Article ID: 2521
Last updated: 30 May, 2018
Article ID: 2521
Last updated: 30 May, 2018
Revision: 3
Views: 1914
Posted: 17 Jul, 2015
by Gargani A.
Updated: 30 May, 2018
by Gargani A.

Cause

A serious security vulnerability was recently found in our product. A remote, unauthenticated user can execute any Java code on the server.

The ilog.views.faces.IlvFacesController Servlet in jviews-framework-all.jar allows calling any other servlets on the classpath, even if they are not explicitly deployed exposing test servlets or administration servlets.

Resolving the problem

Starting from JViews 8.8 patch 21 and JViews 89 patch 1, the only kind of servlets that are allowed to be executed are:

  • servlets declared in web.xml
  • servlets which qualified name starts with ilog.views.faces.

If the you want to run another servlet you have to declare it in the IlvFacesController servlet parameter ilog.views.faces.ilvAuthorizedServletsList which holds a list of regular expressions.

Web.xml example: This would allow the execution of any servlet which name starts with bsh or toto

<servlet>
  <servlet-name>Controller</servlet-name>
  <servlet-class>ilog.views.faces.IlvFacesController</servlet-class>
  <init-param>
    <param-name>ilog.views.faces.ilvAuthorizedServletsList</param-name>
    <param-value>bsh.*,toto.*</param-value>
  </init-param>
  ...

This article was:   Helpful | Not helpful
Report an issue
Article ID: 2521
Last updated: 30 May, 2018
Revision: 3
Views: 1914
Posted: 17 Jul, 2015 by Gargani A.
Updated: 30 May, 2018 by Gargani A.
Also listed in


Others in this category