Java Deserialization: Apache Commons Collections Library #13
Description
/*
Title: Apache Commons Collections Deserialization
Description: Search engine meta data about the finding
*/
- LAST UPDATED DATE: 12 - 13 - 15
- LAST UPDATED BY: Mike Hodges
Summary
The Apache Commons Collections Java library insecurely deserializes data
and with InvokerTransformer an attacker can build serializable objects that
will execute arbitrary Java code.
Capabilities and Risk
Any application that has the Apache Commons Collection library in its Java
class path and accepts serialized data can be coerced into executing arbrtrary code
on the attacker's behalf
This poses a high risk to any server running the ACC library and could
lead to complete compromise of the system.
Detection
Verify the server is running Java with the Apache Commons Collections in the class path.
Identify serialized Java objects being sent ot the application
Replace the serialized Java object with your base-64 encoded payload and verify.
Remediation
Santizie all deserialized data being processed to the application
Update the Apache Commons Collection to the newest version.
Only fixes some of the insecure functions, some still exist
From Adobe's Statement:
"However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability.
References
- http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ -- great read
- http://www.kb.cert.org/vuls/id/576313
- https://github.com/foxglovesec/JavaUnserializeExploits -- exploits
- Link to Nessus/NeXpose/Qualys write up