Uploaded image for project: 'Commons Collections'
  1. Commons Collections
  2. COLLECTIONS-580

Arbitrary remote code execution with InvokerTransformer

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.0, 4.0
    • 3.2.2, 4.1
    • None
    • None

    Description

      With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.

      I don't know of a good fix short of removing InvokerTransformer or making it not Serializable. Both probably break existing applications.

      This is not my research, but has been discovered by other people.

      https://github.com/frohoff/ysoserial

      http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

      Attachments

        Issue Links

        is depended upon by

        Bug - A problem which impairs or prevents the functions of the product. VELTOOLS-169 Upgrade or remove commons-collections compile dependency

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed
        is duplicated by

        Bug - A problem which impairs or prevents the functions of the product. COLLECTIONS-583 JAVA serialization vulnerability "CVE-2015-4852" in commons-collections*.jar

        • Major - Major loss of function.
        • Resolved
        is related to

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12579 Deprecate WriteableRPCEngine

        • Major - Major loss of function.
        • Resolved

        Task - A task that needs to be done. MYFACES-4020 Update commons-collections to 3.2.2

        • Major - Major loss of function.
        • Closed
        relates to

        Bug - A problem which impairs or prevents the functions of the product. COLLECTIONS-721 functors.InvokerTransformer backward incompatibility bug

        • Major - Major loss of function.
        • Closed

        Improvement - An improvement or enhancement to an existing feature or task. IO-487 ValidatingObjectInputStream contribution - restrict which classes can be deserialized

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Closed

        Dependency upgrade - Upgrading a dependency to a newer version KARAF-4135 Upgrade commons-collections to version 3.2.2

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            marschall Philippe Marschall
            Votes:
            66 Vote for this issue
            Watchers:
            105 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment