src/site/xdoc/security-reports.xml

<?xml version="1.0"?>
<!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   this work for additional information regarding copyright ownership.
   The ASF licenses this file to You under the Apache License, Version 2.0
   (the "License"); you may not use this file except in compliance with
   the License.  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
-->
<document>
    <properties>
        <title>Commons Collections Security Reports</title>
        <author email="dev@commons.apache.org">Commons Documentation Team</author>
    </properties>
    <body>
      <section name="General Information">
        <p>For information about reporting or asking questions about
        security problems, please see the <a
        href="http://commons.apache.org/security.html">security page
        of the Commons project</a>.</p>
      </section>

      <section name="Apache Commons Collections Security Vulnerabilities">
        <p>This page lists all security vulnerabilities fixed in
        released versions of Apache Commons Collections. Each
        vulnerability is given a security impact rating by the
        development team - please note that this rating may vary from
        platform to platform. We also list the versions of Commons
        Collections the flaw is known to affect, and where a flaw has not
        been verified list the version with a question mark.</p>

        <p>Please note that binary patches are never provided. If you
        need to apply a source code patch, use the building
        instructions for the Commons Collections version that you are
        using.</p>

        <p>If you need help on building Commons Collections or other help
        on following the instructions to mitigate the known
        vulnerabilities listed here, please send your questions to the
        public <a href="mail-lists.html">Collections Users mailing
        list</a>.</p>

        <p>If you have encountered an unlisted security vulnerability
        or other unexpected behaviour that has security impact, or if
        the descriptions here are incomplete, please report them
        privately to the Apache Security Team. Thank you.</p>

        <subsection name="Fixed in Apache Commons Collections 3.2.2/4.1">
          <p><b>High: Remote Code Execution during object de-serialization</b></p>
          
          <p>The Apache Commons Collections library contains various classes
          in the "functor" package which are serializable and use reflection.
          This can be exploited for remote code execution attacks by injecting
          specially crafted objects to applications that de-serialize
          java objects from untrusted sources and have the Apache Commons Collections
          library in their classpath and do not perform any kind of input
          validation.</p>

          <p>The implemented fix can be tracked via its related issue  
          <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>:</p>
          
          <ul>
            <li><b>3.2.2</b>: de-serialization of unsafe classes in the functor package
                will trigger an "UnsupportedOperationException" by default. In order to re-enable
                the previous behavior, the system property
                "org.apache.commons.collections.enableUnsafeSerialization" has to be set to "true".</li>
            <li><b>4.1</b>: de-serialization support for unsafe classes in the functor package
                has been completely removed (unsafe classes do not implement Serializable anymore).</li>
          </ul>

          <p>The potential exploit was first presented at AppSecCali2015 [3] on 28 January 2015 by
          Gabriel Lawrence and Chris Frohoff. Based on these exploits, Stephen Breen published
          on 06 November 2015 attack scenarios [4] for various products like WebSphere, JBoss, Jenkins,
          WebLogic, and OpenNMS. The Security team was <b>not</b> informed about these security
          problems prior to their publication. No CVE id was assigned for the Apache Commons
          Collections library, please refer to [1] or [2] for more information about the general
          problem with Java serialization.</p>
          
          <p>Affects: 3.0 - 4.0</p>
          
          <p>Related links:</p>
          
          <ol>
            <li>Vulnerability Report for Oracle Weblogic Server:
                <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852">CVE-2015-4852</a></li>
            <li>Apache Commons
                <a href="https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread">statement</a>
                to widespread Java object de-serialisation vulnerability</li>
            <li><a href="http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles">
                Presentation</a> @ AppSecCali2015 by Lawrence and Frohoff</li>
            <li><a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability">Attack scenarios</a>
                for various products by Stephen Breen</li>
          </ol>

        </subsection>
      </section>

      <section name="Errors and Ommissions">
        <p>Please report any errors or omissions to <a
        href="mail-lists.html">the dev mailing list</a>.</p>
      </section>
    </body>
</document>