Vulnerability Note VU#576313
Apache Commons Collections Java library insecurely deserializes data
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.
CWE-502: Deserialization of Untrusted Data
In January 2015, at AppSec California 2015, researchers Gabriel Lawrence and Chris Frohoff described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability.
A Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode.
The CERT/CC is currently unaware of a full solution to this problem, but you may consider the following:
Developers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the CERT Oracle Coding Standard for Java guidelines for Serialization, especially rules SER12-J and SER13-J.
Use firewall rules or filesystem restrictions
System administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application, such as Jenkins, utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Software Foundation||Affected||-||10 Nov 2015|
|Cisco||Affected||-||15 Dec 2015|
|IBM Corporation||Affected||-||30 Nov 2015|
|Jenkins||Affected||-||30 Nov 2015|
|Oracle Corporation||Affected||-||30 Nov 2015|
|Unify Inc||Affected||-||30 Nov 2015|
|Red Hat, Inc.||Unknown||-||30 Nov 2015|
CVSS Metrics (Learn More)
This type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.
This document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.
- CVE IDs: Unknown
- Date Public: 28 Jan 2015
- Date First Published: 13 Nov 2015
- Date Last Updated: 15 Dec 2015
- Document Revision: 82
If you have feedback, comments, or additional information about this vulnerability, please send us email.