rmi-vuln-classloader shows potential false positive against partially mitigated JVM 1.8.0_45

[dmiller-nmap]

From IRC:

2015-06-01T20:30:19  <anthonymoralez> ‘nmap -q -sV --version-all --script rmi-vuln-classloader.nse -p 1098 localhost’ reports a vulnerability on port 1098. I am running ‘rmid -J-Djava.security.policy=file:https:///path/to/my.policy' from oracle’s JVM Java 1.8.0_45. My understanding was that this script is checking for the vulnerability that is mitigated by enabling java.rmi.server.useCodebaseOnly, which is enabled by default with JVM 1.8.0_45.
2015-06-01T20:31:19  <anthonymoralez> Does anyone know if rmi-vuln-classloader is supposed to detect this issue? Or how to secure rmid against this script?
2015-06-01T20:39:44  <anthonymoralez> judging by this message: http:https://seclists.org/nmap-dev/2012/q2/442 it is but I still don’t see how to secure rmid against this vulnerability

The script attempts to load the "dummy" class from "file:./dummy.jar", which will not succeed in any case. The target is deemed vulnerable if the response does not contain "RMI class loader disabled". This check may not distinguish between JVMs which support or enable the java.rmi.server.useCodebaseOnly property. Todo items:

1. Determine if the useCodebaseOnly property really makes a service not-vulnerable. We may want to downgrade to LIKELY_VULN to reflect this mitigation, but it doesn't feel like a complete mitigation.
2. Update the script to distinguish services with this property. This may require actually loading a class from elsewhere, which would be difficult unless there is some system-available class that useCodebaseOnly is supposed to prevent loading. Perhaps something like java.lang.Runtime.exec()?