The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.
CWE-502: Deserialization of Untrusted Data - CVE-2015-6420
In January 2015, at AppSec California 2015, researchers Gabriel Lawrence and Chris Frohoff described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability.
A Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode.
The CERT/CC is currently unaware of a full solution to this problem, but you may consider the following:
Apache Software Foundation
Red Hat, Inc.
This type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.
This document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.
|Date First Published:||2015-11-13|
|Date Last Updated:||2018-08-27 17:57 UTC|