With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.
I don't know of a good fix short of removing InvokerTransformer or making it not Serializable. Both probably break existing applications.
This is not my research, but has been discovered by other people.
- is depended upon by
-
VELTOOLS-169 Upgrade or remove commons-collections compile dependency
-
- Closed
-
- is duplicated by
-
COLLECTIONS-583 JAVA serialization vulnerability "CVE-2015-4852" in commons-collections*.jar
-
- Resolved
-
- is related to
-
HADOOP-12579 Deprecate WriteableRPCEngine
-
- Resolved
-
-
MYFACES-4020 Update commons-collections to 3.2.2
-
- Closed
-
- relates to
-
COLLECTIONS-721 functors.InvokerTransformer backward incompatibility bug
-
- Closed
-
-
IO-487 ValidatingObjectInputStream contribution - restrict which classes can be deserialized
-
- Closed
-
-
KARAF-4135 Upgrade commons-collections to version 3.2.2
-
- Resolved
-