Arbitrary remote code execution with InvokerTransformer

Bug #1514985 reported by Steve Beattie on 2015-11-10
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libcommons-collections3-java (Ubuntu)
Undecided
Unassigned
libcommons-collections4-java (Ubuntu)
Undecided
Unassigned

Bug Description

Upstream bug report: https://issues.apache.org/jira/browse/COLLECTIONS-580

With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.

https://github.com/frohoff/ysoserial

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

[No CVE has been assigned for this yet]

CVE References

Steve Beattie (sbeattie) on 2015-11-10
description: updated
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libcommons-collections3-java (Ubuntu):
status: New → Confirmed
Changed in libcommons-collections4-java (Ubuntu):
status: New → Confirmed
Bert Driehuis (driehuis) wrote :

Upstream has released 3.2.2, acknowledging the affected code in 3.0 thru 3.2.1 as dangerously broken.
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=15006492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15006492

Oracle seems to be okay with using CVE-2015-4852 for this vulnerability. For that reason, I think a seperate CVE may not be forthcoming.
-> http://www.openwall.com/lists/oss-security/2015/11/18/1

Upstream will not release a fixed 3.2.1
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=14996208&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14996208

For Ubuntu, I see two options:
* Upgrade to 3.2.2
* Cherrypick the changes between 3.2.2 and 3.2.1 that affect deserialization

Bert Driehuis (driehuis) wrote :

The patch is here:
-> https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch

Suggestion for the Ubuntu changelog if the cherrypick approach is taken:

The commons-collections library was discovered by foxglovesecurity to allow pre-auth code execution in environments that may deserialize user input. This is particularly true of JBoss, because it has its management interface attached to the default web socket. Any application using commons-collections is at risk if there is a way to input crafted serialized data.

Cherrypick COLLECTIONS-580.patch from commons-collections3-3.2.2.jar to fix the vulnerability referred to in CVE-2015-4852 (No CVE has been assigned to commons-collections, where the actual implementation issue is).

The patch disables deserialization of untrusted data by default. By setting the system property DESERIALIZE to true, the old (dangerous) behavior can be reinstated.

tags: added: patch
Bert Driehuis (driehuis) wrote :

Redhat released their fixed rpm referencing CVE-2015-7501 (RHSA-2015:2521). It looks like they cherrypicked the COLLECTIONS-580.patch and released it as jakarta-commons-collections 0:3.2.1-3.5.el6_7.

As usual, MITRE still has CVE-2015-7501 as "reserved".

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers