5.3.5. Container

Common Java servers include Tomcat, Weblogic, JBoss, GlassFish, Jetty, Resin, IBM Websphere, etc. Here is a brief description of some of the frameworks.

5.3.5.1. Tomcat

Tomcat is a lightweight application server, which is commonly used in small and medium-sized systems and occasions where there are not many concurrent access users to develop and debug JSP programs.

After receiving the request, Tomcat’s processing flow is as follows:

• The client accesses the web server and sends an HTTP request

• After the web server receives the request, it passes it to the servlet container

• The servlet container loads the servlet, generates a servlet instance, and passes it objects representing requests and responses

• The servlet instance uses the request object to get the client’s request information, and then processes it accordingly

• The servlet instance sends the processing result back to the client through the response object, and the container is responsible for ensuring that the response is sent correctly and returning control to the web server

The Tomcat server is composed of a series of configurable components, the core component of which is the Catalina Servlet container, which is the top-level container for all other Tomcat components.

5.3.5.1.1. Related CVEs

• CVE-2020-1938

  • https://www.freebuf.com/vuls/228108.html

• CVE-2019-0232

  • remote code execution

  • https://github.com/pyn3rd/CVE-2019-0232/

• CVE-2017-12615

  • Arbitrary file writing

  • https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5

• CVE-2013-2067

• CVE-2012-4534

• CVE-2012-4431

• CVE-2012-3546

• CVE-2012-3544

• CVE-2012-2733

• CVE-2011-3375

• CVE-2011-3190

• CVE-2008-2938

5.3.5.2. Weblogic

5.3.5.2.1. Introduction

WebLogic is an Application Server produced by Oracle Corporation of the United States. It is a middleware based on Java EE architecture. WebLogic is a Java application server used to develop, integrate, deploy and manage large-scale distributed Web applications, network applications and database applications. It brings the dynamic capabilities of Java and the security of Java Enterprise standards into the development, integration, deployment and management of large-scale web applications.

WebLogic’s comprehensive support for a variety of industry standards, including EJB, JSP, Servlet, JMS, JDBC, and more.

5.3.5.2.2. Related CVE

• CVE-2019-2725

  • wls-wsat deserialize remote code execution

• CVE-2019-2658

• CVE-2019-2650

• CVE-2019-2649

• CVE-2019-2648

• CVE-2019-2647

• CVE-2019-2646

• CVE-2019-2645

• CVE-2019-2618

  • https://github.com/jas502n/cve-2019-2618/

• CVE-2019-2615

• CVE-2019-2568

• CVE-2018-3252

• CVE-2018-3248

• CVE-2018-3245

• CVE-2018-3201

• CVE-2018-3197

• CVE-2018-3191

  • https://github.com/voidfyoo/CVE-2018-3191

  • https://github.com/Libraggbond/CVE-2018-3191

• CVE-2018-2894

  • Any file upload

  • https://xz.aliyun.com/t/2458

• CVE-2018-2893

  • deserialize

  • https://www.freebuf.com/vuls/178105.html

• CVE-2018-2628

  • https://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA

• CVE-2018-1258

• CVE-2017-10271

  • XMLDecoder Deserialization Vulnerability

  • http://webcache.googleusercontent.com/search?q=cache%3AsH7j8TF8uOIJ%3Awww.freebuf.com%2Fvuls%2F160367.html

• CVE-2017-3248

• CVE-2016-3510

• CVE-2015-4852

  • https://github.com/roo7break/serialator

5.3.5.3. JBoss

5.3.5.3.1. Introduction

JBoss is a container and server for managing EJB based on J2EE, but the core service of JBoss does not include a WEB container that supports servlet/JSP, and is generally used in combination with Tomcat or Jetty.

5.3.5.3.2. Related CVE

• CVE-2017-12149

  • Deserialization Vulnerability

  • access /invoker/readonly, there is a deserialization vulnerability when the page exists

5.3.5.4. Jetty

5.3.5.4.1. Introduction

Jetty is an open source servlet container.