Medium Description
An application that accepts serialized objects and deserializes the objects without performing appropriate validation is susceptible to remote execution vulnerabilities. This is a common weakness described in "CWE-502: Deserialization of Untrusted Data" (http://cwe.mitre.org/data/definitions/502.html) and is applicable across multiple platforms, including Java.
In January and November 2015, information was published that demonstrated how this vulnerability can be exploited using the Apache Commons Collections libraries, v3.2.1 and v4.0.
Solution Background
Object serialization is widely used on platforms such as Java and is even the centerpiece of Java technologies like RMI, EJB, RMX, etc. The root cause of the problem is that if there is any object reachable from your runtime that declares itself serializable and could be fooled into doing something bad by malicious data, then it can be exploited through deserialization. Applications must never deserialize untrusted data.
For details, see Vulnerability Note VU#576313: Apache Commons Collections Java library insecurely deserializes data (http://www.kb.cert.org/vuls/id/576313).
All applications that package Apache commons collections must be updated to use v3.3.2 (released) or v4.1 (not yet released, as of this writing).
Attachments
Issue Links
- duplicates
-
BSERV-8193 Update Apache Commons Collections to v3.2.2
- Closed