[Bug 1514985] Re: Arbitrary remote code execution with InvokerTransformer

Bert Driehuis 1514985 at bugs.launchpad.net
Mon Nov 23 11:12:48 UTC 2015 

Upstream has released 3.2.2, acknowledging the affected code in 3.0 thru 3.2.1 as dangerously broken.
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=15006492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15006492

Oracle seems to be okay with using CVE-2015-4852 for this vulnerability. For that reason, I think a seperate CVE may not be forthcoming.
-> http://www.openwall.com/lists/oss-security/2015/11/18/1

Upstream will not release a fixed 3.2.1
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=14996208&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14996208

For Ubuntu, I see two options:
* Upgrade to 3.2.2
* Cherrypick the changes between 3.2.2 and 3.2.1 that affect deserialization

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-4852

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libcommons-collections3-java in
Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
  Arbitrary remote code execution with InvokerTransformer

Status in libcommons-collections3-java package in Ubuntu:
  Confirmed
Status in libcommons-collections4-java package in Ubuntu:
  Confirmed

Bug description:
  Upstream bug report:
  https://issues.apache.org/jira/browse/COLLECTIONS-580

  With InvokerTransformer serializable collections can be build that
  execute arbitrary Java code.
  sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
  #entrySet and #get on a deserialized collection. If you have an
  endpoint that accepts serialized Java objects (JMX, RMI, remote EJB,
  ...) you can combine the two to create arbitrary remote code execution
  vulnerability.

  https://github.com/frohoff/ysoserial

  http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-
  jboss-jenkins-opennms-and-your-application-have-in-common-this-
  vulnerability/

  [No CVE has been assigned for this yet]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions

More information about the foundations-bugs mailing list