[
https://issues.apache.org/jira/browse/COLLECTIONS-580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14996208#comment-14996208
]
Joerg Schaible commented on COLLECTIONS-580:
--------------------------------------------
Hi Paul,
we do not re-release, Thomas intends to release new version 3.2.2 only (with
some additional cheep bug fixes). I don't know if we gain a lot if we also make
releases for older code lines (e.g. release new 3.1.1, 3.0.1, 2.1.2 , 2.0.1
and/or 1.0.1) with this cherry-pick only. The line is supposed to be binary
compatible anyway. If someone does not want to upgrade to 3.2.2, why should he
consider to upgrade to one of the other "new" releases?
Cheers,
Jörg
> Arbitrary remote code execution with InvokerTransformer
> -------------------------------------------------------
>
> Key: COLLECTIONS-580
> URL: https://issues.apache.org/jira/browse/COLLECTIONS-580
> Project: Commons Collections
> Issue Type: Bug
> Affects Versions: 3.0, 4.0
> Reporter: Philippe Marschall
>
> With {{InvokerTransformer}} serializable collections can be build that
> execute arbitrary Java code.
> {{sun.reflect.annotation.AnnotationInvocationHandler#readObject}} invokes
> {{#entrySet}} and {{#get}} on a deserialized collection. If you have an
> endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you
> can combine the two to create arbitrary remote code execution vulnerability.
> I don't know of a good fix short of removing {{InvokerTransformer}} or making
> it not Serializable. Both probably break existing applications.
> This is not my research, but has been discovered by other people.
> https://github.com/frohoff/ysoserial
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
