It is found in various 3th party libs as described here in length:
http://foxglovesecurity.com/2015/11/06/ ... erability/
also the apache reply for there commons lib (that servoy also ships)
https://blogs.apache.org/foundation/ent ... widespread
We fixed it by making a whitelister for all the classes that are coming through the rmi protocol
Because just fixing/patching commons-lib (the lib we ship) isn't really good enough, because there could be 3th party plugins contributing other libs that has the same problem into servoy
To configure this:
For servoy_server:
add rmi-whitelist-1.0.jar to the classpath in servoy_server.sh or servoy_server.bat
add '-Drmi.whitelist.config=com.servoy.:com.sebster.' to the java main, maybe more packages needed
For war-deployment (under tomcat)
create /path/to/tomcat/bin/setenv.sh (linux/mac) or Z:\path\to\tomcat\bin\setenv.bat (windows) and in this file:
set CLASSPATH variable to rmi-whitelist-1.0.jar
set JAVA_OPTS to '-Drmi.whitelist.config=com.servoy.:com.sebster.', maybe more packages needed
sample setenv.bat file for tomcat under windows: (classpath separator is a ; under windows and : under unix)
- Code: Select all
SET CLASSPATH=%CLASSPATH%;%CATALINA_BASE%/bin/rmi-whitelist.jar
set JAVA_OPTS=-Drmi.whitelist.config=com.servoy.:com.sebster.
For war-deployment on other web containers consult your web container documentation for similar configuration.
For deployment using Java Service Wrapper, edit the wrapper.conf file:
add rmi-whitelist-1.0.jar to the wrapper.java.classpath list
add '-Drmi.whitelist.config=com.servoy.:com.sebster.' to the wrapper.java.additional list, maybe more packages needed
All this is only needed if you use the Smart client, if you only use Web or NGClient you can turn of rmi with this property:
servoy.server.start.rmi=false
in the servoy.properties file (WAR export has that option in the war export wizard)
Or make sure that the rmi port (mostly 1099) isn't open to the public internet
If you would use 3th party plugins that have also client and a server side portion and use there own classes in there remove functions that wil be called then you will get in your log file:
2015-11-14 14:39:06,237 WARN [RMI TCP Connection(2)-127.0.0.1] com.servoy.rmi.whitelist.WhitelistingRMIClassLoaderSpi - Class not whitelisted for RMI: a.package.that.you.expect.Class [ ]
then you have to add that package to the -Drmi.whitelist.config=com.servoy.:com.sebster.:a.package.that.you.expect.
so that it will allow classes to be de serialized from that package.
If you want to test if the white lister works then just don't set the -D property and a smart client shouldn't be able to connect and you will get all those warnings on the server side about servoy classes which are not in the whitelist