Major bug goes unnoticed in one of Java's most popular libraries, despite getting a CVSS vulnerability score of 10

Nov 6, 2015 23:00 GMT  ·  By

Back in late January, two security researchers (Gabriel Lawrence and Chris Frohoff) uncovered an RCE (Remote Code Execution) vulnerability that could be exploited via one of the most popular Java libraries around, the Apache Commons Collections.

Because the vulnerability is quite hard to understand, despite the researchers' best efforts, the issue went unnoticed for almost the entire year.

A recent talk given by Matthias Kaiser on the same topic (video below) has brought the issue back to light and spurned Steve Breen from Foxglove Security to investigate it even further in a blog post that contains all the details you'll need to successfully exploit it in various scenarios.

Mr. Breen was able to use the RCE vulnerability and exploit applications where the Commons Collections was used, apps like WebLogic, IBM WebSphere, JBoss, Jenkins, and OpenNMS. Of course, other applications that use the Commons Collections library can also be potentially vulnerable to remote attacks, not just the ones tested by Mr. Breen, and the only condition is that the app accepts user-supplied serialized data.

A monkey patch fix is available

The problem relies in the way Java handles object deserialization operations via the Commons Collections library, which despite being a third-party tool and not being included in the Java core, is one of the most used Java libraries. This can easily be proved by a quick search on GitHub for the library's various names and combinations.

What makes it worse is the fact that serializing and deserializing data is a common practice in Java, increasing the possibility of this issue popping up in even more applications.

Unfortunately, the last update the Commons Collections library got dates back to November 2013, when Apache released version 4.0. Wrong information. We were corrected by Mr. Frohoff who said the vulnerability is in how developers treat user-supplied serialized data, and not the library itself.

Besides providing an exploit that can go with Chris Frohoff's proof-of-concept payload generator, the good news is that Mr. Breen also provided a fix for any applications that might have this issue.

"It will fix it," says Breen, "but it’s an admittedly ugly solution."

UPDATE: The article has been fixed to reflect the fact that the vulnerability is in how developers use the Commons Collections library to deal with user-supplied serialized data, and not the library itself.