Update Protection against Zend Zend Server Java Bridge Remote Code Execution Vulnerability
|Check Point Reference:||CPAI-2011-268|
|Source:||Secunia Advisory: SA43867|
|Protection Provided by:||
Who is Vulnerable?
Zend Technologies Zend Server 5.1.0 and prior
A remote code execution vulnerability has been reported in the Java Bridge server component of Zend Server. Zend Server is a complete, enterprise-ready Web Application Server for running and managing PHP applications. An internal component, the Zend Java Bridge, provides PHP developers with a way to use existing Java code and build PHP applications that use Java code. A remote attacker may exploit this vulnerability to execute arbitrary code on a target system.
The vulnerability is due to design weakness in javamw.jar which does not validate the origin of remote Java commands sent to it. A remote attacker may exploit this issue by sending a specially crafted request to the affected service. Successful exploitation of this vulnerability would lead to execution of arbitrary code on the target host.
This protection will detect and block malformed requests made to the vulnerable server.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Security Gateway: R75
How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Application Servers.
2. In the right pane, double-click the Zend Zend Server Java Bridge Remote Code Execution protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Application Servers Protection Violation
Attack Information: Zend Zend Server Java Bridge remote code execution