commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brandon Kite (JIRA)" <j...@apache.org>
Subject [jira] [Created] (VALIDATOR-383) Commons-collections object deserialization remote command execution vulnerability
Date Thu, 03 Dec 2015 23:36:10 GMT
Brandon Kite created VALIDATOR-383:
--------------------------------------

             Summary: Commons-collections object deserialization remote command execution
vulnerability
                 Key: VALIDATOR-383
                 URL: https://issues.apache.org/jira/browse/VALIDATOR-383
             Project: Commons Validator
          Issue Type: Bug
    Affects Versions: 1.4.1 Release
            Reporter: Brandon Kite


I copied this issue from a different project since it also impacts commons-validator.

Read: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
TL;DR: If you have commons-collections on your classpath and accept and process Java object
serialization data, then you probably have an exploitable remote command execution vulnerability.

The Commons Collection dependency should be upgraded to the latest version (4.1) to remediate
this vulnerability.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message