InvokerTransformer, an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when
commons-collectionsis on the classpath.
The intended behavior of
InvokerTransformer is to allow for the invocation of any method on the Java classpath. The
InvokerTransformer class implements
Serializable and therefore can be included in a serialized object. A combination of the
InvokerTransformer's intended functionality and because it is serializable allows an attacker to embed malicious content, such as
Runtime.getRuntime().exec() via Java reflection, allowing arbitrary code execution.
commons-collectionsfrom the classpath or to remove the
InvokerTransformerclass from the
Note: This is not specifically a
commons-collections issue. Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.