[
https://issues.apache.org/jira/browse/COLLECTIONS-580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14995713#comment-14995713
]
Thomas Neidhart commented on COLLECTIONS-580:
---------------------------------------------
We are currently working on a new release to address the issue.
As a solution, we prefer to introduce a new system property that controls
whether the InvokerTransformer can be serialized or not. The default would be
false, thus using the new version of the library will mean that any attempt to
de-serialize an InvokerTransformer will result in an exception.
> Arbitrary remote code execution with InvokerTransformer
> -------------------------------------------------------
>
> Key: COLLECTIONS-580
> URL: https://issues.apache.org/jira/browse/COLLECTIONS-580
> Project: Commons Collections
> Issue Type: Bug
> Affects Versions: 3.0, 4.0
> Reporter: Philippe Marschall
>
> With {{InvokerTransformer}} serializable collections can be build that
> execute arbitrary Java code.
> {{sun.reflect.annotation.AnnotationInvocationHandler#readObject}} invokes
> {{#entrySet}} and {{#get}} on a deserialized collection. If you have an
> endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you
> can combine the two to create arbitrary remote code execution vulnerability.
> I don't know of a good fix short of removing {{InvokerTransformer}} or making
> it not Serializable. Both probably break existing applications.
> This is not my research, but has been discovered by other people.
> https://github.com/frohoff/ysoserial
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
