Date: Mon, 9 Nov 2015 13:52:55 +0000 From: Pedro Vaz De Sousa Grilo <pedrosousagrilo@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Assign CVE for common-collections remote code execution on deserialisation flaw I think it is. You can execute remote code by exploiting HTTP, RMI and JMI On Mon, Nov 9, 2015 at 6:58 AM, Florian Weimer <fweimer@...hat.com> wrote: > On 11/09/2015 01:36 AM, Jason Shepherd wrote: > > Hello oss-esc, > > > > It was found that a flaw in Apache commons-collections Java library > allowed remote code execution when Deserialised with Java Object > Serialization. > > This is not a vulnerability in the library. How can this feature allow > remote code execution if it does not involve any networking at all? > > The root cause is the incorrect use of Java deserialization. As long as > you do not fix that, something else on the classpath will serve the role > of Apache Commons Collections. > > Disabling InvokerTransformer deserialization may be a prudent hardening > measure, but calling the existing behavior a vulnerability is a bit of a > stretch. > > Florian >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ