Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-8202

Security vulnerability in apache commons collections


    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Medium Medium
    • 4.2.0
    • None
    • None

      An application that accepts serialized objects and deserializes the objects without performing appropriate validation is susceptible to remote execution vulnerabilities. This is a common weakness described in "CWE-502: Deserialization of Untrusted Data" (http://cwe.mitre.org/data/definitions/502.html) and is applicable across multiple platforms, including Java.
      In January and November 2015, information was published that demonstrated how this vulnerability can be exploited using the Apache Commons Collections libraries, v3.2.1 and v4.0.

      Solution Background
      Object serialization is widely used on platforms such as Java and is even the centerpiece of Java technologies like RMI, EJB, RMX, etc. The root cause of the problem is that if there is any object reachable from your runtime that declares itself serializable and could be fooled into doing something bad by malicious data, then it can be exploited through deserialization. Applications must never deserialize untrusted data.

      For details, see Vulnerability Note VU#576313: Apache Commons Collections Java library insecurely deserializes data (http://www.kb.cert.org/vuls/id/576313).

      All applications that package Apache commons collections must be updated to use v3.3.2 (released) or v4.1 (not yet released, as of this writing).

            npellow Nick
            49f552c5bd11 Dana Cleveland
            0 Vote for this issue
            2 Start watching this issue