[Bug 1514985] Re: Arbitrary remote code execution with InvokerTransformer
Bert Driehuis
1514985 at bugs.launchpad.net
Tue Dec 1 13:56:41 UTC 2015
Redhat released their fixed rpm referencing CVE-2015-7501
(RHSA-2015:2521). It looks like they cherrypicked the
COLLECTIONS-580.patch and released it as jakarta-commons-collections
0:3.2.1-3.5.el6_7.
As usual, MITRE still has CVE-2015-7501 as "reserved".
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7501
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libcommons-collections3-java in
Ubuntu.
https://bugs.launchpad.net/bugs/1514985
Title:
Arbitrary remote code execution with InvokerTransformer
Status in libcommons-collections3-java package in Ubuntu:
Confirmed
Status in libcommons-collections4-java package in Ubuntu:
Confirmed
Bug description:
Upstream bug report:
https://issues.apache.org/jira/browse/COLLECTIONS-580
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an
endpoint that accepts serialized Java objects (JMX, RMI, remote EJB,
...) you can combine the two to create arbitrary remote code execution
vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-
jboss-jenkins-opennms-and-your-application-have-in-common-this-
vulnerability/
[No CVE has been assigned for this yet]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
More information about the foundations-bugs
mailing list