Executive Summary

Summary
Title Apache Commons Collections Java library insecurely deserializes data
Informations
Name VU#576313 First vendor Publication 2015-11-13
Vendor VU-CERT Last vendor Modification 2015-11-30
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#576313

Apache Commons Collections Java library insecurely deserializes data

Original Release date: 13 Nov 2015 | Last revised: 30 Nov 2015

Overview

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.

Description

CWE-502: Deserialization of Untrusted Data

In January 2015, at AppSec California 2015, researchers Gabriel Lawrence and Chris Frohoff described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability.

In November 2015, Stephen Breen of Foxglove Security identified the Apache Commons Collections (ACC) Java library as being vulnerable to insecure deserialization of data; specifically, the ACC InvokerTransformer class may allow arbitrary code execution when used to deserialize data from untrusted sources. According to the researcher, this issue affects several large projects that utilize ACC including WebSphere, JBoss, Jenkins, WebLogic, and OpenNMS. Unify also reports that OpenScape software is affected.

Both versions 3.2.1 and 4.0 of the Apache Commons Collections library have been identified as being vulnerable to this deserialization issue.

The Apache Software Foundation has released a statement regarding this issue, which contains advice for mitigating the issue, as well as further references and links. A bug tracker entry has been filed to track progress toward a full solution.

Other libraries, such as Groovy and Spring, are currently being investigated for similar flaws. Lawrence and Frohoff's presentation describes how applications and libraries written in other languages, such as Python and Ruby, may also be vulnerable to the same type of issue. It is generally up to software designers to follow best practices for security when handling serialized data, no matter the programming language or library used.

Impact

A Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode.

While many applications do not actively use serialization or deserailization, they often rely on libraries that do. If a class uses deserialization on some input stream (either a file or socket), and an attacker can send malicious data down that stream, the attacker can cause the program to construct objects of any class on its classpath (whether it uses those classes or not). And some classes, such as those in the ACC automatically execute code based on attacker-supplied deserialization input.

An application that neither uses deserialization, nor employs any libraries that use deserialization, would not be vulnerable to this problem. Such an application should also lack a plugin architecture, or any mechanism for loading code that might use deserialization.

Solution

The CERT/CC is currently unaware of a full solution to this problem, but you may consider the following:

Apply an update

Apache Commons Collections version 3.2.2 and version 4.1 has been released. These new releases mitigate the vulnerability by disabling the insecure functionality.

Developers need to re-architect their applications, and should be suspicious of deserialized data from untrusted sources

Developers will need to make further architectural changes to secure their applications before they can re-enable functionality in ACC version 3.2.2 and later. From Apache's statement:

    However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability.

Developers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the CERT Oracle Coding Standard for Java guidelines for Serialization, especially rules SER12-J and SER13-J.

Use firewall rules or filesystem restrictions

System administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application, such as Jenkins, utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Apache Software FoundationAffected-10 Nov 2015
IBM CorporationAffected-30 Nov 2015
JenkinsAffected-30 Nov 2015
Oracle CorporationAffected-30 Nov 2015
Unify IncAffected-30 Nov 2015
Red Hat, Inc.Unknown-30 Nov 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.4E:POC/RL:W/RC:C
Environmental6.4CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
  • https://issues.apache.org/jira/browse/COLLECTIONS-580
  • https://networks.unify.com/security/advisories/OBSO-1511-01.pdf
  • http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179
  • https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
  • http://www.openwall.com/lists/oss-security/2015/11/11/3
  • http://www.infoq.com/news/2015/11/commons-exploit
  • https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/
  • http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  • http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3c20151106222553.00002c57.ecki@zusammenkunft.net%3e
  • http://frohoff.github.io/appseccali-marshalling-pickles/
  • http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
  • https://www.youtube.com/watch?v=VviY3O-euVQ
  • https://commons.apache.org/proper/commons-collections/
  • http://cwe.mitre.org/data/definitions/502.html
  • https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407
  • http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8

Credit

This type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.

This document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.

Other Information

  • CVE IDs:Unknown
  • Date Public:28 Jan 2015
  • Date First Published:13 Nov 2015
  • Date Last Updated:30 Nov 2015
  • Document Revision:79

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/576313

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-502 Deserialization of Untrusted Data

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 35
Application 1
Application 1
Application 4

SAINT Exploits

Description Link
Oracle WebLogic Apache Commons library deserialization vulnerability More info here

Snort® IPS/IDS

Date Description
2016-03-29 Java Library CommonsCollection unauthorized serialized object attempt
RuleID : 37860 - Revision : 5 - Type : SERVER-WEBAPP
2016-03-29 Java Library CommonsCollection unauthorized serialized object attempt
RuleID : 37859 - Revision : 6 - Type : SERVER-WEBAPP
2016-03-14 Java Library CommonsCollection unauthorized serialized object attempt
RuleID : 36826 - Revision : 11 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2017-07-21 Name : An application running on the remote web server is affected by multiple vulne...
File : oracle_primavera_gateway_cpu_jul_2017.nasl - Type : ACT_GATHER_INFO
2017-05-02 Name : A web application running on the remote host is affected by a remote code exe...
File : cisco_security_java_deser.nasl - Type : ACT_ATTACK
2017-05-02 Name : A network management system running on the remote host is affected by a remot...
File : cisco_prime_lms_java_deser.nasl - Type : ACT_ATTACK
2017-01-25 Name : A web application running on the remote host is affected by multiple vulnerab...
File : mysql_enterprise_monitor_3_2_2_1075.nasl - Type : ACT_GATHER_INFO
2017-01-25 Name : A web application running on the remote host is affected by a remote code exe...
File : mysql_enterprise_monitor_3_1_6_7959.nasl - Type : ACT_GATHER_INFO
2017-01-25 Name : A web application running on the remote host is affected by multiple vulnerab...
File : mysql_enterprise_monitor_3_1_5_7958.nasl - Type : ACT_GATHER_INFO
2016-11-17 Name : A web management application running on the remote host is affected by multip...
File : hp_nnmi_console_10_10.nasl - Type : ACT_GATHER_INFO
2016-10-26 Name : An application server installed on the remote host is affected by multiple vu...
File : oracle_weblogic_server_cpu_oct_2016.nasl - Type : ACT_GATHER_INFO
2016-10-10 Name : The remote device is affected by a remote code execution vulnerability.
File : cisco_cucm_CSCux34835.nasl - Type : ACT_GATHER_INFO
2016-08-24 Name : A web application hosted on the remote web server is affected by a remote cod...
File : hp_intelligent_management_center_7_2.nasl - Type : ACT_GATHER_INFO
2016-07-25 Name : The remote web server is affected by a remote code execution vulnerability.
File : hp_ucmdb_server_cve-2016-4368.nasl - Type : ACT_ATTACK
2016-07-20 Name : The Nexus Repository Manager server running on the remote host is affected by...
File : sonatype_nexus_deserialization.nasl - Type : ACT_GATHER_INFO
2016-07-13 Name : The remote SolarWinds Virtualization Manager server is affected by a remote c...
File : solarwinds_virtualization_manager_rmi_deserialization.nasl - Type : ACT_ATTACK
2016-05-12 Name : A web-based application running on the remote Windows host is affected by mul...
File : coldfusion_win_apsb16-16.nasl - Type : ACT_GATHER_INFO
2016-05-03 Name : The remote host has a web application installed that is affected by a remote ...
File : oracle_oats_cpu_apr_2016.nasl - Type : ACT_GATHER_INFO
2016-04-26 Name : The NetIQ Sentinel server installed on the remote host is affected by multipl...
File : netiq_sentinel_7_4_1_0.nasl - Type : ACT_GATHER_INFO
2016-04-20 Name : The remote NetIQ Sentinel server is affected by a remote code execution vulne...
File : netiq_sentinel_rmi_deserialization.nasl - Type : ACT_ATTACK
2016-03-23 Name : The remote host is affected by a remote code execution vulnerability.
File : hp_operations_orchestration_hpsbgn03560.nasl - Type : ACT_GATHER_INFO
2016-03-14 Name : The remote web server hosts a job scheduling and management system that is af...
File : jenkins_1_650.nasl - Type : ACT_GATHER_INFO
2016-02-29 Name : The remote web server is affected by a remote code execution vulnerability.
File : jenkins_security247.nasl - Type : ACT_ATTACK
2016-02-17 Name : The remote Lexmark Markvision Enterprise server is affected by a remote code ...
File : lexmark_markvision_enterprise_2016_1487.nasl - Type : ACT_ATTACK
2016-02-08 Name : A security management application installed on the remote Windows host is aff...
File : mcafee_epo_sb10144.nasl - Type : ACT_GATHER_INFO
2016-02-03 Name : The remote host is affected by a remote code execution vulnerability.
File : hp_operations_manager_for_win_CVE-2016-1985_local.nasl - Type : ACT_GATHER_INFO
2016-01-06 Name : The remote host has a virtualization application installed that is affected b...
File : vmware_orchestrator_vmsa_2015_0009.nasl - Type : ACT_GATHER_INFO
2016-01-06 Name : The remote host has a virtualization appliance installed that is affected by ...
File : vmware_orchestrator_appliance_vmsa_2015_0009.nasl - Type : ACT_GATHER_INFO
2015-12-18 Name : An application running on the remote host is affected by an arbitrary command...
File : symantec_endpoint_prot_mgr_2015_6554.nasl - Type : ACT_ATTACK
2015-12-17 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL30518307.nasl - Type : ACT_GATHER_INFO
2015-12-16 Name : The remote host is running a web application that is affected by a remote cod...
File : activemq_5_13_0.nasl - Type : ACT_GATHER_INFO
2015-12-10 Name : The remote OpenNMS server is affected by a remote code execution vulnerability.
File : opennms_java_serialize.nasl - Type : ACT_ATTACK
2015-12-10 Name : The remote JBoss server is affected by multiple remote code execution vulnera...
File : jboss_java_serialize.nasl - Type : ACT_ATTACK
2015-12-02 Name : The remote WebSphere Application Server is affected by a remote code executio...
File : websphere_java_serialize.nasl - Type : ACT_ATTACK
2015-11-23 Name : The remote Oracle WebLogic server is affected by a remote code execution vuln...
File : weblogic_2015_4852.nasl - Type : ACT_ATTACK
2015-11-17 Name : The remote web server is affected by a remote code execution vulnerability.
File : jenkins_security218.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Date Informations
2018-10-31 00:23:47
  • Multiple Updates
2017-07-23 13:25:31
  • Multiple Updates
2017-05-04 13:25:28
  • Multiple Updates
2017-01-26 13:24:35
  • Multiple Updates
2016-11-18 13:25:41
  • Multiple Updates
2016-10-27 13:26:38
  • Multiple Updates
2016-10-11 13:21:32
  • Multiple Updates
2016-08-31 13:25:22
  • Multiple Updates
2016-08-25 13:25:50
  • Multiple Updates
2016-07-26 13:25:55
  • Multiple Updates
2016-07-22 13:38:25
  • Multiple Updates
2016-07-14 13:25:21
  • Multiple Updates
2016-06-08 13:25:04
  • Multiple Updates
2016-05-13 13:29:30
  • Multiple Updates
2016-05-04 13:29:44
  • Multiple Updates
2016-04-28 13:28:17
  • Multiple Updates
2016-04-21 13:24:43
  • Multiple Updates
2016-03-24 13:25:50
  • Multiple Updates
2016-03-15 13:25:11
  • Multiple Updates
2016-03-01 13:26:32
  • Multiple Updates
2016-02-18 13:27:47
  • Multiple Updates
2016-02-09 13:27:38
  • Multiple Updates
2016-02-04 13:27:33
  • Multiple Updates
2016-01-22 09:27:07
  • Multiple Updates
2016-01-20 21:26:13
  • Multiple Updates
2016-01-09 00:27:22
  • Multiple Updates
2016-01-07 13:25:48
  • Multiple Updates
2015-12-19 13:23:01
  • Multiple Updates
2015-12-17 13:26:56
  • Multiple Updates
2015-12-11 13:26:25
  • Multiple Updates
2015-12-03 13:26:57
  • Multiple Updates
2015-12-01 00:23:40
  • Multiple Updates
2015-11-30 21:24:25
  • Multiple Updates
2015-11-24 13:26:48
  • Multiple Updates
2015-11-19 21:29:06
  • Multiple Updates
2015-11-18 21:28:49
  • Multiple Updates
2015-11-18 13:26:30
  • Multiple Updates
2015-11-18 00:22:13
  • Multiple Updates
2015-11-17 00:17:10
  • Multiple Updates
2015-11-13 21:21:59
  • First insertion