Vulnerability Note VU#576313
Apache Commons Collections Java library insecurely deserializes data
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.
CWE-502: Deserialization of Untrusted Data - CVE-2015-6420
In January 2015, at AppSec California 2015, researchers Gabriel Lawrence and Chris Frohoff described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability.
A Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode.
The CERT/CC is currently unaware of a full solution to this problem, but you may consider the following:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Software Foundation||Affected||-||10 Nov 2015|
|Cisco||Affected||-||18 Jul 2017|
|IBM Corporation||Affected||-||30 Nov 2015|
|Jenkins||Affected||-||30 Nov 2015|
|Oracle Corporation||Affected||-||30 Nov 2015|
|Unify Inc||Affected||-||30 Nov 2015|
|Red Hat, Inc.||Unknown||-||30 Nov 2015|
CVSS Metrics (Learn More)
This type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.
This document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.
- CVE IDs: CVE-2015-6420
- Date Public: 28 Jan 2015
- Date First Published: 13 Nov 2015
- Date Last Updated: 27 Aug 2018
- Document Revision: 88
If you have feedback, comments, or additional information about this vulnerability, please send us email.