Bug 1309686 - jboss: java.rmi.server.UnicastRemoteObject deserialization opens RMI listening socket
jboss: java.rmi.server.UnicastRemoteObject deserialization opens RMI listenin...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2016-02-18 08:38 EST by Adam Mariš
Modified: 2016-05-09 10:34 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-18 08:38:38 EST
It was found that by sending an appropriate serialized object, one can cause the target JVM to open a listening socket on a client-specified port, start a thread to process requests, and have limited execution of specific code - which could be used for a DoS.

java.rmi.server.UnicastRemoteObject is a Serializable object whose readObject() methods calls exportObject() which will open a TCP listening socket on the port specified by the 'port' field and listen for RMI requests. Depending on the 'java.rmi.server.hostname' property and environment it may be localhost-only or remotely accessible. If enough requests are sent, it could lead to starvation of local port numbers, file descriptors and threads. If that open socket is not protected from remote access (say by a firewall), an attacker can send RMI invocations to it.
Comment 3 Jason Shepherd 2016-02-22 23:21:37 EST
We were able to reproduce a starvation of local port numbers, file descriptors and threads, however we could not bind remote objects into the RMI Server created by an exploit of this flaw. Therefore we're treating this issue as a moderate impact, DoS flaw only.

Note You need to log in before you can comment on or make changes to this bug.