Steve Beattie
2015-11-10 19:52:54 UTC
*** This bug is a security vulnerability ***
Public security bug reported:
Upstream bug report:
https://issues.apache.org/jira/browse/COLLECTIONS-580
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
** Affects: libcommons-collections3-java (Ubuntu)
Importance: Undecided
Status: New
** Affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
- I don't know of a good fix short of removing InvokerTransformer or
- making it not Serializable. Both probably break existing applications.
-
- This is not my research, but has been discovered by other people.
-
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
** Also affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
+ Upstream bug report:
+ https://issues.apache.org/jira/browse/COLLECTIONS-580
+
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985
Title:
Arbitrary remote code execution with InvokerTransformer
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
Public security bug reported:
Upstream bug report:
https://issues.apache.org/jira/browse/COLLECTIONS-580
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
** Affects: libcommons-collections3-java (Ubuntu)
Importance: Undecided
Status: New
** Affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
- I don't know of a good fix short of removing InvokerTransformer or
- making it not Serializable. Both probably break existing applications.
-
- This is not my research, but has been discovered by other people.
-
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
** Also affects: libcommons-collections4-java (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
+ Upstream bug report:
+ https://issues.apache.org/jira/browse/COLLECTIONS-580
+
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an endpoint
that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can
combine the two to create arbitrary remote code execution vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
[No CVE has been assigned for this yet]
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514985
Title:
Arbitrary remote code execution with InvokerTransformer
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs