[Bug 1514985] Re: Arbitrary remote code execution with InvokerTransformer
Launchpad Bug Tracker
1514985 at bugs.launchpad.net
Mon Nov 23 10:30:39 UTC 2015
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: libcommons-collections3-java (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libcommons-collections3-java in
Ubuntu.
https://bugs.launchpad.net/bugs/1514985
Title:
Arbitrary remote code execution with InvokerTransformer
Status in libcommons-collections3-java package in Ubuntu:
Confirmed
Status in libcommons-collections4-java package in Ubuntu:
Confirmed
Bug description:
Upstream bug report:
https://issues.apache.org/jira/browse/COLLECTIONS-580
With InvokerTransformer serializable collections can be build that
execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes
#entrySet and #get on a deserialized collection. If you have an
endpoint that accepts serialized Java objects (JMX, RMI, remote EJB,
...) you can combine the two to create arbitrary remote code execution
vulnerability.
https://github.com/frohoff/ysoserial
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-
jboss-jenkins-opennms-and-your-application-have-in-common-this-
vulnerability/
[No CVE has been assigned for this yet]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions
More information about the foundations-bugs
mailing list