Java: Finally closing the door on JNDI remote classloading [CVE-2018-3149]

November 1, 2018

The October 2018 CPU finally also applies classpath restrictions for LDAP object loading.

While JNDI/RMI already had received a codebase restriction a while back in the January 2017 CPU (8u121,7u131), for some reason they failed to also apply that to the JNDI/LDAP subsystem. Given that I had mentioned and even exploited that in previous reports, Iā€™m not sure why they have addressed this now and have not done so earlier. This removes some of the JNDI crazyness and is a good hardening measure.

That means that starting with Java 11.0.1 and 8u191, directly getting remote code execution from JNDI lookups and related operations should no longer be possible. What however still is possible to get a Java Deserialization from these calls (both via RMI and LDAP).

Quite a few of the marshalsec payloads use the JNDI vector to get remote code execution, these will now be degraded to escalation to Java deserialization. If there are usable gadgets available, with some more effort, this may still ultimately allow remote code execution.