pavelhoral
commented
1 year ago Btw. did you check other code that we only expose views that extend ConsoleViewBeanBase?
Closed karelmaxa closed 1 year ago
pavelhoral
commented
1 year ago Btw. did you check other code that we only expose views that extend ConsoleViewBeanBase?
karelmaxa
commented
1 year ago Yes, only the ConsoleViewBeanBase extends com.iplanet.jato.view.ViewBeanBase. Other view components are extending ConsoleViewBeanBase with overridden deserializePageAttributes method.
This PR removes the
VersionServletand related logic to resolve the security vulnerability published as a CVE-2021-35464.I was able to reproduce the exploit using a sustaining 13.5.x version built with JDK8. The same exploit did not work with the current version built with JDK 17 (due to of changes in the classloader). The Jato JDK9+ issue has been fixed using monkey patched
Encoder(see https://github.com/WrenSecurity/wrenam/commit/ff7f8110c5e370aabe3ebe1329c235fb8b11f30f).This change also removes the version button from the legacy admin interface (see image below). This should be fine, as the interface should be completely reworked.