InvokerTransformer, an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when
commons-collections is on the classpath.
The intended behavior of
InvokerTransformer is to allow for the invocation of any method on the Java classpath. The
InvokerTransformer class implements
Serializable and therefore can be included in a serialized object. A combination of the
InvokerTransformer's intended functionality and because it is serializable allows an attacker to embed malicious content, such as
Runtime.getRuntime().exec() via Java reflection, allowing arbitrary code execution.
commons-collections from the classpath or to remove the
InvokerTransformer class from the
common-collections jar file.
Note: This is not specifically a
commons-collections issue. Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.