[FLINK-3005] Commons-collections object deserialization remote command execution vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.10.1, 1.0.0
Component/s: None
Labels:
None

Description

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.

Brief search in code base for ObjectInputStream reveals several places where the vulnerability exists.

Attachments

Activity

People

Assignee:: Ted Yu

Reporter:: Ted Yu

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 12/Nov/15 03:01

Updated:: 19/Nov/15 13:50

Resolved:: 19/Nov/15 13:50