I've run java apps on boxes that are several years out of date OS patching wise and have many bugs, explain to be how you'd exploit those?
You'd need to:
* Get through the CDN to hit origin
* Get through the patched internet facing rproxies
* Exploit the JVM to get code execution, while your target area is something like spring
* Get a code exec on that box as the appserver user
_THEN_ use your j33t exploit..
If an attacker is capable of doing that, then absolutely nothing you can do is capable of stopping them anyway.
Patching is only important for your internet facing stuff, depending on your environment.
I WANT to patch such systems, we all agree that it's poor practice to do so; sometimes life is unfair though and in the grand scheme of things I don't see any significant risk in this scenario..
I worked at a company with that kind of app. It got owned three different ways. A user reported it after they saw it listed in a forum somewhere.
It was mainly app vulns, not platform, but there were certainly things that could have avoided it. The system was just not hardened at all, and the devs were sloppy.
Luckily they had basic network security best practices and so it was confined to frontend, but blah blah SQL blah blah MITM, still not a good situation to be in.
You'd need to:
* Get through the CDN to hit origin * Get through the patched internet facing rproxies * Exploit the JVM to get code execution, while your target area is something like spring * Get a code exec on that box as the appserver user _THEN_ use your j33t exploit..
If an attacker is capable of doing that, then absolutely nothing you can do is capable of stopping them anyway.
Patching is only important for your internet facing stuff, depending on your environment.
I WANT to patch such systems, we all agree that it's poor practice to do so; sometimes life is unfair though and in the grand scheme of things I don't see any significant risk in this scenario..