commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Neidhart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COLLECTIONS-580) Arbitrary remote code execution with InvokerTransformer
Date Sun, 08 Nov 2015 17:09:11 GMT

    [ https://issues.apache.org/jira/browse/COLLECTIONS-580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14995713#comment-14995713
] 

Thomas Neidhart commented on COLLECTIONS-580:
---------------------------------------------

We are currently working on a new release to address the issue.

As a solution, we prefer to introduce a new system property that controls whether the InvokerTransformer
can be serialized or not. The default would be false, thus using the new version of the library
will mean that any attempt to de-serialize an InvokerTransformer will result in an exception.

> Arbitrary remote code execution with InvokerTransformer
> -------------------------------------------------------
>
>                 Key: COLLECTIONS-580
>                 URL: https://issues.apache.org/jira/browse/COLLECTIONS-580
>             Project: Commons Collections
>          Issue Type: Bug
>    Affects Versions: 3.0, 4.0
>            Reporter: Philippe Marschall
>
> With {{InvokerTransformer}} serializable collections can be build that execute arbitrary
Java code. {{sun.reflect.annotation.AnnotationInvocationHandler#readObject}} invokes {{#entrySet}}
and {{#get}} on a deserialized collection. If you have an endpoint that accepts serialized
Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote
code execution vulnerability.
> I don't know of a good fix short of removing {{InvokerTransformer}} or making it not
Serializable. Both probably break existing applications.
> This is not my research, but has been discovered by other people.
> https://github.com/frohoff/ysoserial
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message