[Bug 1514985] Re: Arbitrary remote code execution with InvokerTransformer

Bert Driehuis 1514985 at bugs.launchpad.net
Mon Nov 23 13:00:11 UTC 2015 

The patch is here:
-> https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch

Suggestion for the Ubuntu changelog if the cherrypick approach is taken:

The commons-collections library was discovered by foxglovesecurity to
allow pre-auth code execution in environments that may deserialize user
input. This is particularly true of JBoss, because it has its management
interface attached to the default web socket. Any application using
commons-collections is at risk if there is a way to input crafted
serialized data.

Cherrypick COLLECTIONS-580.patch from commons-collections3-3.2.2.jar to
fix the vulnerability referred to in CVE-2015-4852 (No CVE has been
assigned to commons-collections, where the actual implementation issue
is).

The patch disables deserialization of untrusted data by default. By
setting the system property DESERIALIZE to true, the old (dangerous)
behavior can be reinstated.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libcommons-collections3-java in
Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
  Arbitrary remote code execution with InvokerTransformer

Status in libcommons-collections3-java package in Ubuntu:
  Confirmed
Status in libcommons-collections4-java package in Ubuntu:
  Confirmed

Bug description:
  Upstream bug report:
  https://issues.apache.org/jira/browse/COLLECTIONS-580

  With InvokerTransformer serializable collections can be build that
  execute arbitrary Java code.
  sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
  #entrySet and #get on a deserialized collection. If you have an
  endpoint that accepts serialized Java objects (JMX, RMI, remote EJB,
  ...) you can combine the two to create arbitrary remote code execution
  vulnerability.

  https://github.com/frohoff/ysoserial

  http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-
  jboss-jenkins-opennms-and-your-application-have-in-common-this-
  vulnerability/

  [No CVE has been assigned for this yet]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions

More information about the foundations-bugs mailing list