Arbitrary remote code execution with InvokerTransformer.
Due to the behavior of
InvokerTransformer, an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when
commons-collectionsis on the classpath.
The intended behavior of
InvokerTransformer is to allow for the invocation of any method on the Java classpath. The
InvokerTransformer class implements
Serializable and therefore can be included in a serialized object. A combination of the
InvokerTransformer's intended functionality and because it is serializable allows an attacker to embed malicious content, such as
Runtime.getRuntime().exec() via Java reflection, allowing arbitrary code execution.
The application is vulnerable if it allows deserialization of untrusted data.
The project is actively working on a new release to address this issue. Upgrading to a non vulnerable version is not possible at this time. A potential workaround is to remove
commons-collectionsfrom the classpath or to remove the
InvokerTransformerclass from the
Note: This is not specifically a
commons-collections issue. Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.