Feedback
Did this article resolve your question/issue?

   

Article

How to prevent Java RMI class loader exploit with AdminServer

« Go Back

Information

 
TitleHow to prevent Java RMI class loader exploit with AdminServer
URL NameHow-to-prevent-Java-RMI-class-loader-exploit-with-AdminServer
Article Number000176908
EnvironmentProduct: OpenEdge
Version: 10.2x, 11.x to 11.6 inclusive
OS: All Operating Systems
Other: Java RMI, AdminServer
Question/Problem Description
How to prevent malicious java code execution when using RMI?
How to prevent anonymous requests to load and execute Java classes from a remote URL when using RMI?
Java version shipped with OpenEdge allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.
Steps to Reproduce
Clarifying Information
Java Remote Method Invocation (RMI) services permit remote anonymous users to load arbitrary Java classes via the Class Loader.
Java classes could contain system commands: pwd, whoami, to recover stored password hashes and in-memory cleartext credentials.
RMI services handle anonymous requests to load and execute Java classes from any remote (HTTP) URL by default.
RMI services are typically run under a highly privileged user context.
Error Message
Defect Number
Enhancement Number
Cause
Resolution
The Java RMI class loader exploit is resolved in Java 7.21, where the RMI property java.rmi.server.useCodebaseOnly defaults to true by default.

This change is also applicable to JDK 6 Update 45 and JDK 5 Update 45 releases.

Upgrade the current Java version used by OpenEdge to the later supported version update.  Refer to Articles:
The following Java version is packed with the OpenEdge 11.4, 11.5, 11.6 installation media:
  • JDK 1.7.0_45: Windows (32-bit and 64-bit), Solaris (64-bit), Linux (32-bit and 64-bit) 
  • OpenEdge 11.6, is still shipped with Java 1.7, however Java 8 Runtime is supported on all OpenEdge 11.6 supported. Refer to Article  Java 8: Does OpenEdge Support Java8 Runtime for OE11.6?    
  • Java 8 is certified for and is the shipped version since OpenEdge 11.7.x and therefore no update is required.
Workaround
To disable class-loading thus prevent the attack, open DLC/properties/AdminServerPlugins.properties file and modify the 'jvmargs' line" under the following section to prevent 'hacking' the main AdminServer process (default port 20931)
    
[PluginPolicy.Progress.AdminServer]
jvmargs=....... -Djava.rmi.server.useCodebaseOnly=true

For NameServer, WebSpeed, AppServer modify the jvmargs line under their respective sections in DLC/properties/AdminServerPlugins.properties:
    
[Plugin.NameServer]
[Plugin.WebSpeed]
[Plugin.AppServer]

Then restart the AdminServer.

Additional security can be added using a host-based firewall to restrict access to the affected service(s).

The OEM / OEE Console can further be secured by using SSL, disabling HTTP and switching to use HTTPS with a valid certificate. For further information refer to Article:
Notes
Last Modified Date11/20/2020 7:11 AM
Attachment 
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.