3

I had these odd message on my server before it crashed:

[ (org.jboss.seam.core.Interpolator)] exception interpolating string: #{(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6]).invoke(expressions.getClass().forName('java.lang.Runtime')).exec('ls')}
javax.el.ELException: java.io.IOException: Cannot run program "ls": java.io.IOException: error=12, Cannot allocate memory

It seams to me that someone tried to execute something, through Interpolator class. I found these code, from an earlier version of seam:

http://www.java2s.com/Open-Source/Java-Document/JBoss/jboss-seam-2.1.0.A1/org/jboss/seam/core/Interpolator.java.htm

I found these post

How to solve "java.io.IOException: error=12, Cannot allocate memory" calling Runtime#exec()?

But in my case, I'm not trying to solve it, I want to restrict it.

Can I prevent systems execution through a Security Manager? Do you have any suggestion to prevent these kind of execution?

Thanks in advance.

Community
  • 1
  • 1
Awi
  • 285
  • 1
  • 3
  • 12

1 Answers1

2

Are you sure that it is YOUR code trying to run "ls" on your server? If not, it looks like someone is trying to exploit this problem of Seam 2. In this case you should upgrade to Seam 2.2.2.Final

Tair
  • 3,779
  • 2
  • 20
  • 33
  • I'm almost sure is not a code necessary for the application, but since it's a big project, I'll have to consult to the rest of the team. We will also see the steps to migrate to the latest stable 2.x branch, we had it scheduled but now it will become a priority. Thank you very much. – Awi Jul 10 '11 at 19:06