You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Ted Yu (JIRA)" <ji...@apache.org> on 2015/11/12 04:02:11 UTC
[jira] [Created] (FLINK-3005) Commons-collections object
deserialization remote command execution vulnerability
Ted Yu created FLINK-3005:
-----------------------------
Summary: Commons-collections object deserialization remote command execution vulnerability
Key: FLINK-3005
URL: https://issues.apache.org/jira/browse/FLINK-3005
Project: Flink
Issue Type: Bug
Reporter: Ted Yu
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.
Brief search in code base for ObjectInputStream reveals several places where the vulnerability exists.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)