commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joerg Schaible (JIRA)" <>
Subject [jira] [Commented] (COLLECTIONS-580) Arbitrary remote code execution with InvokerTransformer
Date Mon, 09 Nov 2015 08:44:11 GMT


Joerg Schaible commented on COLLECTIONS-580:

Hi Paul,

we do not re-release, Thomas intends to release new version 3.2.2 only (with some additional
cheep bug fixes). I don't know if we gain a lot if we also make releases for older code lines
(e.g. release new 3.1.1, 3.0.1, 2.1.2 , 2.0.1 and/or 1.0.1) with this cherry-pick only. The
line is supposed to be binary compatible anyway. If someone does not want to upgrade to 3.2.2,
why should he consider to upgrade to one of the other "new" releases?


> Arbitrary remote code execution with InvokerTransformer
> -------------------------------------------------------
>                 Key: COLLECTIONS-580
>                 URL:
>             Project: Commons Collections
>          Issue Type: Bug
>    Affects Versions: 3.0, 4.0
>            Reporter: Philippe Marschall
> With {{InvokerTransformer}} serializable collections can be build that execute arbitrary
Java code. {{sun.reflect.annotation.AnnotationInvocationHandler#readObject}} invokes {{#entrySet}}
and {{#get}} on a deserialized collection. If you have an endpoint that accepts serialized
Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote
code execution vulnerability.
> I don't know of a good fix short of removing {{InvokerTransformer}} or making it not
Serializable. Both probably break existing applications.
> This is not my research, but has been discovered by other people.

This message was sent by Atlassian JIRA

View raw message