Mitigating serialization issues in AEM
- Topics:
- Administering
CREATED FOR:
- Admin
Overview
The AEM team at Adobe has been working closely with the open source project NotSoSerial to assist in mitigating the vulnerabilities described in CVE-2015-7501. NotSoSerial is licensed under the Apache 2 license and includes ASM code licensed under its own BSD-like license.
The agent jar included with this package is Adobe’s modified distribution of NotSoSerial.
NotSoSerial is a Java level solution to a Java level problem and is not AEM specific. It adds a preflight check to an attempt to deserialize an object. This check will test a class name against a firewall-style allow list and/or block list. Due to the limited number of classes in the default block list, this is unlikely to have an impact on your systems or code.
By default, the agent will perform a block list check against current known vulnerable classes. This block list is intended to protect you from the current list of exploits that use this type of vulnerability.
The block list and allow list can be configured by following the instructions in the Configuring the Agent section of this article.
The agent is intended to help mitigate the latest known vulnerable classes. If your project is deserializing untrusted data, it may still be vulnerable to denial of service attacks, out of memory attacks, and unknown future deserialization exploits.
Adobe officially supports Java 6, 7, and 8, however our understanding is that NotSoSerial supports Java 5 as well.
Installing the Agent
-
Install the com.adobe.cq.cq-serialization-tester bundle.
-
Go to the Bundle Web Console at
https://server:port/system/console/bundles
-
Look for the serialization bundle and start it. This should dynamically autoload the NotSoSerial agent.
Installing the Agent on Application Servers
The NotSoSerial agent is not included in the stardard distribution of AEM for application servers. However, you can extract it from the AEM jar distribution and use it with your application server setup:
-
First, download the AEM quickstart file and extract it:
java -jar aem-quickstart-6.2.0.jar -unpack
-
Go to the location of the newly unzipped AEM quickstart, and copy the
crx-quickstart/opt/notsoserial/
folder to thecrx-quickstart
folder of the AEM application server installation. -
Change the ownership of
/opt
to the user running the server:chown -R opt <user running the server>
-
Configure and check that the agent has been properly activated as shown in the following sections of this article.
Configuring the agent
The default configuration is adequate for most installs. This includes a block list of known remote execution vulnerable classes and a allow list of packages where deserialization of trusted data should be relatively safe.
The firewall configuration is dynamic, and can be changed at any time by:
-
Going to the Web Console at
https://server:port/system/console/configMgr
-
Searching for and clicking Deserialization Firewall Configuration.
NOTE
You can also reach the configuration page directly by accessing the URL at:https://server:port/system/console/configMgr/com.adobe.cq.deserfw.impl.DeserializationFirewallImpl
This configuration contains the allow list, block list, and deserialization logging.
Allow listing
In the allow listing section, these are classes or package prefixes that will be allowed for deserialization. It is important to be aware that if you are deserializing classes of your own, you will need to add either the classes or packages to this allow list.
Block listing
In the block listing section are classes that are never allowed for deserializaiton. The initial set of these classes is limited to classes that have been found vulnerable to remote execution attacks. The block list is applied before any allow listed entries.
Diagnostinc Logging
In the section for diagnostic logging, you can chose several options to log when deserialization is taking place. These are only logged on first use, and are not logged again on subsequent uses.
The default of class-name-only will inform you of the classes that are being deserialized.
You can also set the full-stack option which will log a java stack of the first deserialization attempt to inform you where your deserialization is taking place. This can be useful for finding and removing deserialization from your usage.
Verifying the Agent’s Activation
You can verify the deserialization agent’s configuration by browsing to the URL at:
https://server:port/system/console/healthcheck?tags=deserialization
Once you access the URL, a list of health checks related to the agent will be displayed. You can determine if the agent is properly activated by verifying that the health checks are passing. If they are failing, you may need to load the agent manually.
For more information on troubleshooting issues with the agent, see Handling Errors With Dynamic Agent Loading below.
org.apache.commons.collections.functors
to the allow list, the health check will always fail.Handling errors with dynamic agent loading
If errors are exposed in the log, or the verification steps detect a problem loading the agent, you might need to load the agent manually. This is also recommended in case you are using a JRE (Java Runtime Environment) instead of a JDK (Java Development Toolkit), since the tools for dynamic loading are not available.
In order to load the agent manually, follow the below instructions:
-
Modify the JVM startup parameters of the CQ jar, adding the following option:
-javaagent:<aem-installation-folder>/crx-quickstart/opt/notsoserial/notsoserial.jar
NOTE
This requires using the -nofork CQ/AEM option as well, along with the appropriate JVM memory settings, as the agent won’t be enabled on a forked JVM.NOTE
The Adobe distribution of the NotSoSerial agent jar can be found in thecrx-quickstart/opt/notsoserial/
folder of your AEM installation. -
Stop and restart the JVM;
-
Verify the agent’s activation again by following the steps described above in Verifying The Agent’s Activation.
Other Considerations
If you are running on an IBM JVM, please review the documentation on support for the Java Attach API at this location.
Experience Manager
- Administering User Guide overview
- Sites Features
- Website Administration
- Reusing Content: Multi Site Manager and Live Copy
- Live Copy Overview Console
- Configuring Live Copy Synchronization
- Creating and Synchronizing Live Copies
- MSM Rollout Conflicts
- MSM Best Practices
- Translating Content for Multilingual Sites
- Managing Translation Projects
- Identifying Content to Translate
- Preparing Content for Translation
- Creating a Language Root Using the Classic UI
- Connecting to Microsoft Translator
- Configuring the Translation Integration Framework
- Language Copy Wizard
- Translation Enhancements
- Translation Best Practices
- Configurations and the Configuration Browser
- AEM FAQs
- Operations
- Dashboards
- Operations Dashboard
- Backup and Restore
- Data Store Garbage Collection
- Monitoring Server Resources Using the JMX Console
- Working with Logs
- Configure the Rich Text Editor
- Configure the Video component
- The Bulk Editor
- Configuring Email Notification
- Configuring RTE for Producing Accessible Sites
- The Link Checker
- Troubleshooting AEM
- Audit Log Maintenance in AEM 6
- Editor
- Managing Access to Workflows
- Using cURL with AEM
- Configuring Undo for Page Editing
- Proxy Server Tool (proxy.jar)
- Configuring for AEM Apps
- Administering Workflows
- Configuring Search Forms
- Tools Consoles
- Reporting
- Administering Workflow Instances
- Configuring Layout Container and Layout Mode
- Enabling Access to Classic UI
- Starting Workflows
- Configure the Rich Text Editor plug-ins
- Admin Consoles
- Security
- User Administration and Security
- User, Group and Access Rights Administration
- Security Checklist
- OWASP Top 10
- Running AEM in Production Ready Mode
- Identity Management
- Adobe IMS Authentication and Admin Console Support for AEM Managed Services
- Creating a Closed User Group
- Mitigating serialization issues in AEM
- User Synchronization
- Encapsulated Token Support
- Single Sign On
- How to Audit User Management Operations in AEM
- SSL By Default
- SAML 2.0 Authentication Handler
- Closed User Groups in AEM
- Granite Operations - User and Group Administration
- Enabling CRXDE Lite in AEM
- Configuring LDAP with AEM 6
- Configure the Admin Password on Installation
- Service Users in AEM
- Encryption Support for Configuration Properties
- Handling GDPR Requests for the AEM Foundation
- Content Disposition Filter
- Personalization
- eCommerce
- Integration
- Integrating with Third-Party Services
- Integrating with Salesforce
- Integrating with Adobe Target
- Integrating with Adobe Analytics
- Connecting to Adobe Analytics and Creating Frameworks
- Configuring Link Tracking for Adobe Analytics
- Mapping Component Data with Adobe Analytics Properties
- Configuring Video Tracking for Adobe Analytics
- HTTP2 Delivery of Content FAQ
- Troubleshooting your Adobe Campaign Integration
- SharePoint Connector Licenses, Copyright Notices, and Disclaimers
- SharePoint Connector
- DHTML Viewer End-of-Life FAQs
- Integrating with Adobe Campaign Classic
- Related Community Articles
- Integrating with Adobe Campaign Standard
- Flash Viewers End-of-Life Notice
- Integrating with Adobe Creative Cloud
- Integrating with Adobe Dynamic Tag Management
- Opting Into Adobe Analytics and Adobe Target
- AEM Portals and Portlets
- Integrating with Dynamic Media Classic
- Troubleshooting Integration Issues
- Integrating with BrightEdge Content Optimizer
- Best Practices for Email Templates
- Catalog Producer
- Integrating with Silverpop Engage
- Integrating with Adobe Campaign
- Integrating with ExactTarget
- Analytics with External Providers
- Integrating with the Adobe Marketing Cloud
- Manually Configuring the Integration with Adobe Target
- Prerequisites for Integrating with Adobe Target
- Adobe Classifications
- Solutions Integration
- Target Integration with Experience Fragments
- Best Practices
- Content Management