Apache Geronimo Remote Code Execute Vulnerability


Apache Geronimo 是 Apache 软件基金会的开放源码J2EE服务器,它集成了众多先进技术和设计理念。 这些技术和理念大多源自独立的项目,配置和部署模型也各不相同。



这个Geronimo 其实存在很多的反序列化,默认类似tomcat Manager也有,也可以利用弱口令等部署war包,我在测试的过程中发现默认启动了JAVA RMI,并且使用了commons-collections,


 ./repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar matches




Hi jianan!

Yes, indeed Kevan is right.

The Apache Geronimo Community has recently voted to end support for the Geronimo Server part as Kevan has pointed out.
And yes, we so far failed to reflect this fact on our page.
I will try to address this immediately.

I hope that you understand our situation!

Note that any RMI communication is usually done on a custom port > 1024.
So those ports are usually blocked by a firewall anyway.
Which means that IF a company has any issues by that then they will likely have far more problems than 'just' a RMI injection.

txs and LieGrue,

> Am 19.12.2017 um 00:23 schrieb Kevan Miller <kevan.miller@gmail.com>:
> Hi Jianan,
> I'm not certain why the PMC has failed to respond to you. Perhaps your messages are not being properly moderated onto the PMC's mailing list?
> I believe their response would be as follows:
> The Geronimo Server distribution is no longer supported. The community vote thread that decided this is:
> https://lists.apache.org/thread.html/7d8159f186eb58f253cfdbe71a7da6a420d6d85565bba01c731d8d0f@%3Cdev.geronimo.apache.org%3E
> Unfortunately, the results of this vote are not properly noted on http://geronimo.apache.org/
> kevan