commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leon Tebbens (JIRA)" <>
Subject [jira] [Commented] (COLLECTIONS-580) Arbitrary remote code execution with InvokerTransformer
Date Tue, 10 Nov 2015 12:41:11 GMT


Leon Tebbens commented on COLLECTIONS-580:

I do not want to spoil the party, but are you guys absolutely sure that a hacker can inject
executable code by manipulation of a serialized object (like a cookie)? IMHO serializing is
only about fields (data) not methods (code).

Like all user input, a cookie (or any other string or object under control of the world outside
your application) should be treated by developers as unsave input.

There's also no CVE issued for this "vulnerability" by oss security, because they think it
is not possible to exploit this "vulnerability".

> Arbitrary remote code execution with InvokerTransformer
> -------------------------------------------------------
>                 Key: COLLECTIONS-580
>                 URL:
>             Project: Commons Collections
>          Issue Type: Bug
>    Affects Versions: 3.0, 4.0
>            Reporter: Philippe Marschall
>         Attachments: COLLECTIONS-580.patch
> With {{InvokerTransformer}} serializable collections can be build that execute arbitrary
Java code. {{sun.reflect.annotation.AnnotationInvocationHandler#readObject}} invokes {{#entrySet}}
and {{#get}} on a deserialized collection. If you have an endpoint that accepts serialized
Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote
code execution vulnerability.
> I don't know of a good fix short of removing {{InvokerTransformer}} or making it not
Serializable. Both probably break existing applications.
> This is not my research, but has been discovered by other people.

This message was sent by Atlassian JIRA

View raw message