Uploaded image for project: 'Commons Validator'
  1. Commons Validator
  2. VALIDATOR-383

Commons-collections object deserialization remote command execution vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 1.4.1 Release
    • None
    • None
    • None

    Description

      I copied this issue from a different project since it also impacts commons-validator.

      Read: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
      TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you probably have an exploitable remote command execution vulnerability.

      The Commons Collection dependency should be upgraded to the latest version (4.1) to remediate this vulnerability.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. VALIDATOR-381 Update commons-collections from 3.2.1 to 3.2.2

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              bkite92 Brandon Kite
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: