Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:1847
HistoryNov 09, 2015 - 7:34 p.m.

Potential Remote Code Execution Via Java Object Deserialization

2015-11-0919:34:22
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
69
remote code execution
java object deserialization
apache commons
invokertransformer
cve-2015-4852
cve-2015-6420
cve-2015-7501
cve-2015-7450

EPSS

0.97

Percentile

99.8%

Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It’s not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process. The fix prevents deserialization of InvokerTransformer by default unless it’s specifically enabled. CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.

Affected configurations

Vulners
Node
apachecommons_collectionsMatch4.0
OR
-flink-shaded-include-yarnMatch0.9.1
OR
-oak_upgradeMatch1.3.7
OR
apachecommons_collectionsMatch4.0
OR
-flink-shaded-include-yarnMatch0.9.1
OR
-oak_upgradeMatch1.3.7
OR
apachecommons_collectionsRange3.2.1
OR
-jbehave_coreRange3.0-beta-2
OR
-apacheds_allRange2.0.0-M20
OR
-gwt-devRange2.7.0
VendorProductVersionCPE
apachecommons_collections4.0cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:*
-flink-shaded-include-yarn0.9.1cpe:2.3:a:-:flink-shaded-include-yarn:0.9.1:*:*:*:*:*:*:*
-oak_upgrade1.3.7cpe:2.3:a:-:oak_upgrade:1.3.7:*:*:*:*:*:*:*
apachecommons_collections*cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*
-jbehave_core*cpe:2.3:a:-:jbehave_core:*:*:*:*:*:*:*:*
-apacheds_all*cpe:2.3:a:-:apacheds_all:*:*:*:*:*:*:*:*
-gwt-dev*cpe:2.3:a:-:gwt-dev:*:*:*:*:*:*:*:*

References