Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It’s not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process. The fix prevents deserialization of InvokerTransformer by default unless it’s specifically enabled. CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.
Vendor | Product | Version | CPE |
---|---|---|---|
apache | commons_collections | 4.0 | cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* |
- | flink-shaded-include-yarn | 0.9.1 | cpe:2.3:a:-:flink-shaded-include-yarn:0.9.1:*:*:*:*:*:*:* |
- | oak_upgrade | 1.3.7 | cpe:2.3:a:-:oak_upgrade:1.3.7:*:*:*:*:*:*:* |
apache | commons_collections | * | cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* |
- | jbehave_core | * | cpe:2.3:a:-:jbehave_core:*:*:*:*:*:*:*:* |
- | apacheds_all | * | cpe:2.3:a:-:apacheds_all:*:*:*:*:*:*:*:* |
- | gwt-dev | * | cpe:2.3:a:-:gwt-dev:*:*:*:*:*:*:*:* |
http:
http:
foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html
seclists.org/oss-sec/2015/q4/238
www-01.ibm.com/support/docview.wss?uid=swg21970575
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852
www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420
www.openwall.com/lists/oss-security/2015/11/17/19
www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
www.securityfocus.com/bid/77539
www.securitytracker.com/id/1038292
blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
blogs.oracle.com/security/entry/security_alert_cve_2015_4852
github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
issues.apache.org/jira/browse/COLLECTIONS-580
svn.apache.org/viewvc?view=revision&revision=1713307
www.exploit-db.com/exploits/42806/
www.exploit-db.com/exploits/46628/