flink-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability
Date Thu, 12 Nov 2015 03:02:10 GMT
Ted Yu created FLINK-3005:
-----------------------------

             Summary: Commons-collections object deserialization remote command execution
vulnerability
                 Key: FLINK-3005
                 URL: https://issues.apache.org/jira/browse/FLINK-3005
             Project: Flink
          Issue Type: Bug
            Reporter: Ted Yu


http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

TL;DR: If you have commons-collections on your classpath and accept and process Java object
serialization data, then you may have an exploitable remote command execution vulnerability.

Brief search in code base for ObjectInputStream reveals several places where the vulnerability
exists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message