| <?xml version="1.0"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <document> |
| <properties> |
| <title>Commons Collections Security Reports</title> |
| <author email="dev@commons.apache.org">Commons Documentation Team</author> |
| </properties> |
| <body> |
| <section name="General Information"> |
| <p>For information about reporting or asking questions about |
| security problems, please see the <a |
| href="http://commons.apache.org/security.html">security page |
| of the Commons project</a>.</p> |
| </section> |
| |
| <section name="Apache Commons Collections Security Vulnerabilities"> |
| <p>This page lists all security vulnerabilities fixed in |
| released versions of Apache Commons Collections. Each |
| vulnerability is given a security impact rating by the |
| development team - please note that this rating may vary from |
| platform to platform. We also list the versions of Commons |
| Collections the flaw is known to affect, and where a flaw has not |
| been verified list the version with a question mark.</p> |
| |
| <p>Please note that binary patches are never provided. If you |
| need to apply a source code patch, use the building |
| instructions for the Commons Collections version that you are |
| using.</p> |
| |
| <p>If you need help on building Commons Collections or other help |
| on following the instructions to mitigate the known |
| vulnerabilities listed here, please send your questions to the |
| public <a href="mail-lists.html">Collections Users mailing |
| list</a>.</p> |
| |
| <p>If you have encountered an unlisted security vulnerability |
| or other unexpected behaviour that has security impact, or if |
| the descriptions here are incomplete, please report them |
| privately to the Apache Security Team. Thank you.</p> |
| |
| <subsection name="Fixed in Apache Commons Collections 3.2.2/4.1"> |
| <p><b>High: Remote Code Execution during object de-serialization</b></p> |
| |
| <p>The Apache Commons Collections library contains various classes |
| in the "functor" package which are serializable and use reflection. |
| This can be exploited for remote code execution attacks by injecting |
| specially crafted objects to applications that de-serialize |
| java objects from untrusted sources and have the Apache Commons Collections |
| library in their classpath and do not perform any kind of input |
| validation.</p> |
| |
| <p>The implemented fix can be tracked via its related issue |
| <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>:</p> |
| |
| <ul> |
| <li><b>3.2.2</b>: de-serialization of unsafe classes in the functor package |
| will trigger an "UnsupportedOperationException" by default. In order to re-enable |
| the previous behavior, the system property |
| "org.apache.commons.collections.enableUnsafeSerialization" has to be set to "true".</li> |
| <li><b>4.1</b>: de-serialization support for unsafe classes in the functor package |
| has been completely removed (unsafe classes do not implement Serializable anymore).</li> |
| </ul> |
| |
| <p>The potential exploit was first presented at AppSecCali2015 [3] on 28 January 2015 by |
| Gabriel Lawrence and Chris Frohoff. Based on these exploits, Stephen Breen published |
| on 06 November 2015 attack scenarios [4] for various products like WebSphere, JBoss, Jenkins, |
| WebLogic, and OpenNMS. The Security team was <b>not</b> informed about these security |
| problems prior to their publication. No CVE id was assigned for the Apache Commons |
| Collections library, please refer to [1] or [2] for more information about the general |
| problem with Java serialization.</p> |
| |
| <p>Affects: 3.0 - 4.0</p> |
| |
| <p>Related links:</p> |
| |
| <ol> |
| <li>Vulnerability Report for Oracle Weblogic Server: |
| <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852">CVE-2015-4852</a></li> |
| <li>Apache Commons |
| <a href="https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread">statement</a> |
| to widespread Java object de-serialisation vulnerability</li> |
| <li><a href="http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles"> |
| Presentation</a> @ AppSecCali2015 by Lawrence and Frohoff</li> |
| <li><a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability">Attack scenarios</a> |
| for various products by Stephen Breen</li> |
| </ol> |
| |
| </subsection> |
| </section> |
| |
| <section name="Errors and Ommissions"> |
| <p>Please report any errors or omissions to <a |
| href="mail-lists.html">the dev mailing list</a>.</p> |
| </section> |
| </body> |
| </document> |