Overview
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.
Description
CWE-502: Deserialization of Untrusted Data - CVE-2015-6420 In January 2015, at AppSec California 2015, researchers Gabriel Lawrence and Chris Frohoff described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability. |
Impact
A Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode. |
Solution
The CERT/CC is currently unaware of a full solution to this problem, but you may consider the following: |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 6.4 | E:POC/RL:W/RC:C |
Environmental | 6.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
- https://issues.apache.org/jira/browse/COLLECTIONS-580
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
- https://networks.unify.com/security/advisories/OBSO-1511-01.pdf
- http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
- http://www.openwall.com/lists/oss-security/2015/11/11/3
- http://www.infoq.com/news/2015/11/commons-exploit
- https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/
- http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3c20151106222553.00002c57.ecki@zusammenkunft.net%3e
- http://frohoff.github.io/appseccali-marshalling-pickles/
- http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
- https://www.youtube.com/watch?v=VviY3O-euVQ
- https://commons.apache.org/proper/commons-collections/
- http://cwe.mitre.org/data/definitions/502.html
- https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407
- http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8
Acknowledgements
This type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.
This document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.
Other Information
CVE IDs: | CVE-2015-6420 |
Date Public: | 2015-01-28 |
Date First Published: | 2015-11-13 |
Date Last Updated: | 2018-08-27 17:57 UTC |
Document Revision: | 89 |