Discussion:
[Bug 1514985] [NEW] Arbitrary remote code execution with InvokerTransformer
(too old to reply)
Steve Beattie
2015-11-10 19:52:54 UTC
Permalink
*** This bug is a security vulnerability ***

Public security bug reported:

Upstream bug report:
https://issues.apache.org/jira/browse/COLLECTIONS-580

With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.

https://github.com/frohoff/ysoserial

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

[No CVE has been assigned for this yet]

** Affects: libcommons-collections3-java (Ubuntu)
Importance: Undecided
Status: New

** Affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New

** Description changed:

With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.

- I don't know of a good fix short of removing InvokerTransformer or
- making it not Serializable. Both probably break existing applications.
-
- This is not my research, but has been discovered by other people.
-
https://github.com/frohoff/ysoserial

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

[No CVE has been assigned for this yet]

** Also affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New

** Description changed:

+ Upstream bug report:
+ https://issues.apache.org/jira/browse/COLLECTIONS-580
+
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.

https://github.com/frohoff/ysoserial

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

[No CVE has been assigned for this yet]
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
Arbitrary remote code execution with InvokerTransformer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Launchpad Bug Tracker
2015-11-23 10:30:39 UTC
Permalink
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: libcommons-collections3-java (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
Arbitrary remote code execution with InvokerTransformer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Launchpad Bug Tracker
2015-11-23 10:30:39 UTC
Permalink
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: libcommons-collections4-java (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
Arbitrary remote code execution with InvokerTransformer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Bert Driehuis
2015-11-23 11:12:48 UTC
Permalink
Upstream has released 3.2.2, acknowledging the affected code in 3.0 thru 3.2.1 as dangerously broken.
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=15006492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15006492

Oracle seems to be okay with using CVE-2015-4852 for this vulnerability. For that reason, I think a seperate CVE may not be forthcoming.
-> http://www.openwall.com/lists/oss-security/2015/11/18/1

Upstream will not release a fixed 3.2.1
-> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=14996208&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14996208

For Ubuntu, I see two options:
* Upgrade to 3.2.2
* Cherrypick the changes between 3.2.2 and 3.2.1 that affect deserialization

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-4852
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
Arbitrary remote code execution with InvokerTransformer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Bert Driehuis
2015-11-23 13:00:11 UTC
Permalink
The patch is here:
-> https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch

Suggestion for the Ubuntu changelog if the cherrypick approach is taken:

The commons-collections library was discovered by foxglovesecurity to
allow pre-auth code execution in environments that may deserialize user
input. This is particularly true of JBoss, because it has its management
interface attached to the default web socket. Any application using
commons-collections is at risk if there is a way to input crafted
serialized data.

Cherrypick COLLECTIONS-580.patch from commons-collections3-3.2.2.jar to
fix the vulnerability referred to in CVE-2015-4852 (No CVE has been
assigned to commons-collections, where the actual implementation issue
is).

The patch disables deserialization of untrusted data by default. By
setting the system property DESERIALIZE to true, the old (dangerous)
behavior can be reinstated.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
Arbitrary remote code execution with InvokerTransformer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Hans Joachim Desserud
2015-11-29 18:19:31 UTC
Permalink
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
Arbitrary remote code execution with InvokerTransformer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Bert Driehuis
2015-12-01 13:56:41 UTC
Permalink
Redhat released their fixed rpm referencing CVE-2015-7501
(RHSA-2015:2521). It looks like they cherrypicked the
COLLECTIONS-580.patch and released it as jakarta-commons-collections
0:3.2.1-3.5.el6_7.

As usual, MITRE still has CVE-2015-7501 as "reserved".

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7501
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985

Title:
Arbitrary remote code execution with InvokerTransformer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Loading...