*** This bug is a security vulnerability *** Public security bug reported:
Upstream bug report: https://issues.apache.org/jira/browse/COLLECTIONS-580 With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability. https://github.com/frohoff/ysoserial http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss- jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ [No CVE has been assigned for this yet] ** Affects: libcommons-collections3-java (Ubuntu) Importance: Undecided Status: New ** Affects: libcommons-collections4-java (Ubuntu) Importance: Undecided Status: New ** Description changed: With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability. - I don't know of a good fix short of removing InvokerTransformer or - making it not Serializable. Both probably break existing applications. - - This is not my research, but has been discovered by other people. - https://github.com/frohoff/ysoserial http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss- jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ [No CVE has been assigned for this yet] ** Also affects: libcommons-collections4-java (Ubuntu) Importance: Undecided Status: New ** Description changed: + Upstream bug report: + https://issues.apache.org/jira/browse/COLLECTIONS-580 + With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability. https://github.com/frohoff/ysoserial http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss- jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ [No CVE has been assigned for this yet] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514985 Title: Arbitrary remote code execution with InvokerTransformer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
