Skip to content

Commit 72901e3

Browse files
author
Timo Mueller
committed
Merge branch 'insecureJmxRmiServerEnvironment' of github.com:mogwailabs/codeql into insecureJmxRmiServerEnvironment
2 parents 59ebe08 + f44b97c commit 72901e3

File tree

3 files changed

+8
-10
lines changed

3 files changed

+8
-10
lines changed

java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,8 @@ public void initAndStartJmxServer() throws IOException{
1717
/* Restrict the login function to String Objects only (see CVE-2016-3427) */
1818
Map<String, Object> env = new HashMap<String, Object>();
1919
// For Java 10+
20-
String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
21-
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
20+
String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
21+
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
2222

2323
/* Java 9 or below:
2424
env.put("jmx.remote.rmi.server.credential.types",

java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@ public void initAndStartRmiServer(int port, String hostname, boolean local) {
77
/* Restrict the login function to String Objects only (see CVE-2016-3427) */
88
Map<String, Object> env = new HashMap<String, Object>();
99
// For Java 10+
10-
String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
11-
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
10+
String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
11+
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
1212

1313
/* Java 9 or below
1414
env.put("jmx.remote.rmi.server.credential.types",

java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,21 +10,19 @@ method, resulting in the attempted deserialization of an attacker-controlled obj
1010
</overview>
1111

1212
<recommendation>
13-
<p>During the creation/initialitation of an RMI or JMX server a properly set environment (Map) variable has
14-
to be passed as second parameter.
15-
In order to disallow the deserialization of arbitrary objects the passed environment needs to set a deserialization filter.
16-
Ideally this filter only allows the deserialization to <code>java.lang.String</code>.
13+
<p>During the creation/initialization of an RMI or JMX server an environment should be supplied that sets a deserialization filter.
14+
Ideally this filter only allows the deserialization of <code>java.lang.String</code>.
1715

1816
The filter can be configured by setting the key <code>jmx.remote.rmi.server.credentials.filter.pattern</code> (given by the constant <code>RMIConnectorServer.CREDENTIALS_FILTER_PATTERN</code>).
1917
The filter should (ideally) only allow java.lang.String and disallow all other classes for deserialization: (<code>"java.lang.String;!*"</code>).
2018

2119
The key-value pair can be set as following:
2220

2321
<code>
24-
String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
22+
String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
2523

2624
Map<String, Object> env = new HashMap<String, Object>;
27-
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
25+
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
2826
</code>
2927

3028
For applications using Java 9 or below:

0 commit comments

Comments
 (0)