Mitigating serialization issues in AEM mitigating-serialization-issues-in-aem

Overview overview

The AEM team at Adobe worked closely with the open-source project NotSoSerial to help in mitigating the vulnerabilities described in CVE-2015-7501. NotSoSerial is licensed under the Apache 2 license and includes ASM code licensed under its own BSD-like license.

The agent jar included with this package is Adobe’s modified distribution of NotSoSerial.

NotSoSerial is a Java™ level solution to a Java™ level problem and is not AEM-specific. It adds a preflight check to an attempt to deserialize an object. This check tests a class name against a firewall-style allowlist, or blocklist, or both. Due to the limited number of classes in the default blocklist, this test is unlikely to have an impact on your systems or code.

By default, the agent performs a blocklist check against current known vulnerable classes. This blocklist is intended to protect you from the current list of exploits that use this type of vulnerability.

The blocklist and allowlist can be configured by following the instructions in the Configuring the Agent section of this article.

The agent is intended to help mitigate the latest known vulnerable classes. If your project is deserializing untrusted data, it may still be vulnerable to denial of service attacks, out of memory attacks, and unknown future deserialization exploits.

Adobe officially supports Java™ 6, 7, and 8. However, Adobe’s understanding is that NotSoSerial supports Java™ 5 as well.

Installing the Agent installing-the-agent

NOTE
If you have previously installed the serialization hotfix for AEM 6.1, remove the agent start commands from your Java™ run line.
  1. Install the com.adobe.cq.cq-serialization-tester bundle.

  2. Go to the Bundle Web Console at https://server:port/system/console/bundles

  3. Look for the serialization bundle and start it. Doing so dynamically autoloads the NotSoSerial agent.

Installing the Agent on Application Servers installing-the-agent-on-application-servers

The NotSoSerial agent is not included in the standard distribution of AEM for application servers. However, you can extract it from the AEM jar distribution and use it with your application server setup:

  1. First, download the AEM quickstart file and extract it:

    code language-shell
    java -jar aem-quickstart-6.2.0.jar -unpack
    
  2. Go to the location of the newly unzipped AEM quickstart, and copy the crx-quickstart/opt/notsoserial/ folder to the crx-quickstart folder of the AEM application server installation.

  3. Change the ownership of /opt to the user running the server:

    code language-shell
    chown -R opt <user running the server>
    
  4. Configure and check that the agent has been properly activated as shown in the following sections of this article.

Configuring the agent configuring-the-agent

The default configuration is adequate for most installs. This configuration includes a blocklist of known remote run vulnerable classes and an allowlist of packages where deserialization of trusted data is safe.

The firewall configuration is dynamic, and can be changed at any time by:

  1. Going to the Web Console at https://server:port/system/console/configMgr

  2. Searching for and clicking Deserialization Firewall Configuration.

    note note
    NOTE
    You can also reach the configuration page directly by accessing the URL at:
    • https://server:port/system/console/configMgr/com.adobe.cq.deserfw.impl.DeserializationFirewallImpl

This configuration contains the allowlist, blocklist, and deserialization logging.

Allow Listing

In the allow listing section, these listings are classes, or package prefixes that are allowed for deserialization. If you are deserializing classes of your own, add either the classes or packages to this allowlist.

Block Listing

In the block listing section are classes that are never allowed for deserialization. The initial set of these classes is limited to classes that have been found vulnerable to remote execution attacks. The blocklist is applied before any allow listed entries.

Diagnostic Logging

In the section for diagnostic logging, you can choose several options to log when deserialization is taking place. These options are only logged on first use, and are not logged again on subsequent uses.

The default of class-name-only informs you of the classes that are being deserialized.

You can also set the full-stack option which logs a Java™ stack of the first deserialization attempt to inform you where your deserialization is taking place. This option is useful for finding and removing deserialization from your usage.

Verifying the Agent’s Activation verifying-the-agent-s-activation

You can verify the deserialization agent’s configuration by browsing to the URL at:

  • https://server:port/system/console/healthcheck?tags=deserialization

After you access the URL, a list of health checks related to the agent is displayed. You can determine if the agent is properly activated by verifying that the health checks are passing. If they are failing, you must load the agent manually.

For more information on troubleshooting issues with the agent, see Handling Errors With Dynamic Agent Loading below.

NOTE
If you add org.apache.commons.collections.functors to the allowlist, the health check always fails.

Handling errors with dynamic agent loading handling-errors-with-dynamic-agent-loading

If errors are exposed in the log, or the verification steps detect a problem loading the agent, load the agent manually. This workflow is also recommended if you use a JRE (Java™ Runtime Environment) instead of a JDK (Java™ Development Toolkit), because the tools for dynamic loading are not available.

To load the agent manually, do the following:

  1. Edit the JVM startup parameters of the CQ jar, adding the following option:

    code language-shell
    -javaagent:<aem-installation-folder>/crx-quickstart/opt/notsoserial/notsoserial.jar
    
    note note
    NOTE
    Requires that you use the -nofork CQ/AEM option as well, along with the appropriate JVM memory settings, as the agent is not enabled on a forked JVM.
    note note
    NOTE
    The Adobe distribution of the NotSoSerial agent jar can be found in the crx-quickstart/opt/notsoserial/ folder of your AEM installation.
  2. Stop and restart the JVM;

  3. Verify the agent’s activation again by following the steps described above in Verifying The Agent’s Activation.

Other Considerations other-considerations

If you are running on an IBM® JVM, review the documentation on support for the Java™ Attach API at this location.

recommendation-more-help
19ffd973-7af2-44d0-84b5-d547b0dffee2