Uploaded image for project: 'Commons Collections'
  1. Commons Collections
  2. COLLECTIONS-580

Arbitrary remote code execution with InvokerTransformer

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0, 4.0
    • Fix Version/s: 3.2.2, 4.1
    • Component/s: None
    • Labels:
      None

      Description

      With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.

      I don't know of a good fix short of removing InvokerTransformer or making it not Serializable. Both probably break existing applications.

      This is not my research, but has been discovered by other people.

      https://github.com/frohoff/ysoserial

      http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              marschall Philippe Marschall

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment