Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Nov 2015 13:52:55 +0000
From: Pedro Vaz De Sousa Grilo <pedrosousagrilo@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Assign CVE for common-collections remote code
 execution on deserialisation flaw

I think it is. You can execute remote code by exploiting HTTP, RMI and JMI

On Mon, Nov 9, 2015 at 6:58 AM, Florian Weimer <fweimer@...hat.com> wrote:

> On 11/09/2015 01:36 AM, Jason Shepherd wrote:
> > Hello oss-esc,
> >
> > It was found that a flaw in Apache commons-collections Java library
> allowed remote code execution when Deserialised with Java Object
> Serialization.
>
> This is not a vulnerability in the library.  How can this feature allow
> remote code execution if it does not involve any networking at all?
>
> The root cause is the incorrect use of Java deserialization.  As long as
> you do not fix that, something else on the classpath will serve the role
> of Apache Commons Collections.
>
> Disabling InvokerTransformer deserialization may be a prudent hardening
> measure, but calling the existing behavior a vulnerability is a bit of a
> stretch.
>
> Florian
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ