Uploaded image for project: 'Commons Collections'
  1. Commons Collections
  2. COLLECTIONS-580

Arbitrary remote code execution with InvokerTransformer

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 3.0, 4.0
          • Fix Version/s: 3.2.2, 4.1
          • Component/s: None
          • Labels:
            None

            Description

            With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.

            I don't know of a good fix short of removing InvokerTransformer or making it not Serializable. Both probably break existing applications.

            This is not my research, but has been discovered by other people.

            https://github.com/frohoff/ysoserial

            http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

              Attachments

                Issue Links

                is depended upon by

                Bug - A problem which impairs or prevents the functions of the product. VELTOOLS-169 Upgrade commons-collections compile dependency to v3.2.2 or v4.1

                • Critical - Crashes, loss of data, severe memory leak.
                • Closed
                is duplicated by

                Bug - A problem which impairs or prevents the functions of the product. COLLECTIONS-583 JAVA serialization vulnerability "CVE-2015-4852" in commons-collections*.jar

                • Major - Major loss of function.
                • Resolved
                is related to

                Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12579 Deprecate WriteableRPCEngine

                • Major - Major loss of function.
                • Resolved

                Task - A task that needs to be done. MYFACES-4020 Update commons-collections to 3.2.2

                • Major - Major loss of function.
                • Closed
                relates to

                Improvement - An improvement or enhancement to an existing feature or task. IO-487 ValidatingObjectInputStream contribution - restrict which classes can be deserialized

                • Minor - Minor loss of function, or other problem where easy workaround is present.
                • Closed

                Dependency upgrade - Upgrading a dependency to a newer version KARAF-4135 Upgrade commons-collections to version 3.2.2

                • Minor - Minor loss of function, or other problem where easy workaround is present.
                • Resolved

                  Activity

                    People

                    • Assignee:
                      Unassigned
                      Reporter:
                      marschall Philippe Marschall
                    • Votes:
                      66 Vote for this issue
                      Watchers:
                      104 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved: