Article ID: 128533, created on Mar 9, 2016, last review on Mar 31, 2016

  • Applies to:
  • Operations Automation 6.0

Symptoms

Currently OACI uses vulnerable version of xstream library. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the user running the affected application. OACI Instance Manager deserializes XML that comes from untrusted source into Java object using vulnerable xstream library. By adding EventHandler proxy to serialized object it is possible to execute any Java code. To exploit this issue no authentication is required.

CVE-2013-7285 has been assigned to this issue.

Cause

This behavior is caused by CCU-12488, will be fixed in future OACI updates.

Resolution

ActiveMQ server is listening on public interface on port 61616. To prevent remote code execution ActiveMQ service should be configured to listen on local IP address. The following steps should be done:

  1. In file '/usr/apache-activemq/conf/activemq.xml' on the OACI Instance Manager the following part of configuration file:

    <transportConnectors>
    <transportConnector name="openwire" allowLinkStealing="true" uri="tcp://0.0.0.0:61616"/>
    </transportConnectors>
    

    to:

    <transportConnectors>
    <transportConnector name="openwire_localhost" allowLinkStealing="true" uri="tcp://localhost:61616"/>
    <transportConnector name="openwire_backnet" allowLinkStealing="true" uri="tcp://<BACKNET_IP>:61616"/>
    </transportConnectors>
    

    where <BACKNET_IP> is the internal IP address of Instance Manager, it is used by PACI-aps running on Operation Automation management node. Also make sure that localhost resolves to 127.0.0.1 IP address.

  2. It is recommended to close all ports on public interface of Instance Manager except 4465 - it is used for OACI public API and http endpoint requires authentication there. Please refer to Configuring Firewall Rules chapter of OACI deployment guide.

  3. It is recommended to allow network connections to ActiveMQ service from OA Management node only:

    iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 61616 -j DROP
    iptables -I INPUT -p tcp -s  <OSAMN_BACKNET_IP>,127.0.0.1  --dport 61616 -j ACCEPT
    

    where <OAMN_BACKNET_IP> is a OA Management node backnet IP address.

  4. Please note that if you have additional listeners configured in /usr/local/share/PACI-im/IM-config.xml configuration file - please tune them accordingly.

    Listeners are configured in the following part of IM-config.xml file:

       <jax-rs root="/paci" staticContent="true">
       <installRequestLogger disable="false" logResponses="true" />
       <formatXmlOutput />
       <validateRequests />
       <listener host="0.0.0.0" keystore-pwd="secret" maxThreads="100" minThreads="5" name="insecure" port="4465" reuseAddress="false" secure="false" />
    </jax-rs>
    

Search Words

remote code execution using Java deserialization vulnerability

CCU-12488

OACI vulnerability

CVE-2013-7285

OACI: remote code execution using Java deserialization vulnerability

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF