Severity
CVSS: 9.3
Description
Arbitrary remote code execution with InvokerTransformer.
Explanation
Due to the behavior of
InvokerTransformer, an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections is on the classpath.The intended behavior of InvokerTransformer is to allow for the invocation of any method on the Java classpath. The InvokerTransformer class implements Serializable and therefore can be included in a serialized object. A combination of the InvokerTransformer's intended functionality and because it is serializable allows an attacker to embed malicious content, such as Runtime.getRuntime().exec() via Java reflection, allowing arbitrary code execution.
Detection
The application is vulnerable if it allows deserialization of untrusted data.
Recommendation
The project is actively working on a new release to address this issue. Upgrading to a non vulnerable version is not possible at this time. A potential workaround is to remove
commons-collections from the classpath or to remove the InvokerTransformer class from the common-collections jar file.Note: This is not specifically a commons-collections issue. Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.
Categories
Data, Functional