2015-11-10 19:52:54 |
Steve Beattie |
bug |
|
|
added bug |
2015-11-10 19:53:17 |
Steve Beattie |
description |
With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.
I don't know of a good fix short of removing InvokerTransformer or making it not Serializable. Both probably break existing applications.
This is not my research, but has been discovered by other people.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet] |
With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet] |
|
2015-11-10 19:56:16 |
Steve Beattie |
bug task added |
|
libcommons-collections4-java (Ubuntu) |
|
2015-11-10 19:57:18 |
Steve Beattie |
description |
With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet] |
Upstream bug report: https://issues.apache.org/jira/browse/COLLECTIONS-580
With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet] |
|
2015-11-23 10:30:39 |
Launchpad Janitor |
libcommons-collections3-java (Ubuntu): status |
New |
Confirmed |
|
2015-11-23 10:30:39 |
Launchpad Janitor |
libcommons-collections4-java (Ubuntu): status |
New |
Confirmed |
|
2015-11-23 11:12:48 |
Bert Driehuis |
cve linked |
|
2015-4852 |
|
2015-11-23 11:15:54 |
Bert Driehuis |
bug |
|
|
added subscriber Bert Driehuis |
2015-11-29 18:19:31 |
Hans Joachim Desserud |
tags |
|
patch |
|
2015-12-01 13:53:08 |
Bert Driehuis |
cve linked |
|
2015-7501 |
|