You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Ted Yu (JIRA)" <ji...@apache.org> on 2015/11/12 04:02:11 UTC

[jira] [Created] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability

Ted Yu created FLINK-3005:
-----------------------------

             Summary: Commons-collections object deserialization remote command execution vulnerability
                 Key: FLINK-3005
                 URL: https://issues.apache.org/jira/browse/FLINK-3005
             Project: Flink
          Issue Type: Bug
            Reporter: Ted Yu


http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.

Brief search in code base for ObjectInputStream reveals several places where the vulnerability exists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)