You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Leon Tebbens (JIRA)" <ji...@apache.org> on 2015/11/10 13:52:11 UTC

[jira] [Issue Comment Deleted] (COLLECTIONS-580) Arbitrary remote code execution with InvokerTransformer

     [ https://issues.apache.org/jira/browse/COLLECTIONS-580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leon Tebbens updated COLLECTIONS-580:
-------------------------------------
    Comment: was deleted

(was: I do not want to spoil the party, but are you guys absolutely sure that a hacker can inject executable code by manipulation of a serialized object (like a cookie)? IMHO serializing is only about fields (data) not methods (code).

Like all user input, a cookie (or any other string or object under control of the world outside your application) should be treated by developers as unsave input.

There's also no CVE issued for this "vulnerability" by oss security, because they think it is not possible to exploit this "vulnerability".)

> Arbitrary remote code execution with InvokerTransformer
> -------------------------------------------------------
>
>                 Key: COLLECTIONS-580
>                 URL: https://issues.apache.org/jira/browse/COLLECTIONS-580
>             Project: Commons Collections
>          Issue Type: Bug
>    Affects Versions: 3.0, 4.0
>            Reporter: Philippe Marschall
>         Attachments: COLLECTIONS-580.patch
>
>
> With {{InvokerTransformer}} serializable collections can be build that execute arbitrary Java code. {{sun.reflect.annotation.AnnotationInvocationHandler#readObject}} invokes {{#entrySet}} and {{#get}} on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.
> I don't know of a good fix short of removing {{InvokerTransformer}} or making it not Serializable. Both probably break existing applications.
> This is not my research, but has been discovered by other people.
> https://github.com/frohoff/ysoserial
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)