Major bug goes unnoticed in one of Java’s most popular libraries, despite getting a CVSS vulnerability score of 10
Back in late January, two security researchers (Gabriel Lawrence and Chris Frohoff) uncovered an RCE (Remote Code Execution) vulnerability in one of the most used Java libraries around, the Apache Commons Collections.
Because the vulnerability is quite hard to understand, despite the researchers’ best efforts, the issue went unnoticed for almost the entire year.
A recent talk given by Matthias Kaiser on the same topic (video below) has brought the issue back to light and spurned Steve Breen from Foxglove Security to investigate it even further in a blog post that contains all the details you’ll need to successfully exploit it in various scenarios.
Mr. Breen was able to use the Commons Collections RCE vulnerability and exploit applications like WebLogic, IBM WebSphere, JBoss, Jenkins, and OpenNMS. Of course, other applications that use the Commons Collections library can also be potentially vulnerable to remote attacks, not just the ones tested by Mr. Breen.
A monkey patch fix is available
The problem relies in the way Java handles object deserialization operations via the Commons Collections library, which despite being a third-party tool and not being included in the Java core, is one of the most used Java libraries. This can easily be proved by a quick search on GitHub for the library’s various names and combinations.
What makes it even worse is the fact that serializing and deserializing data is a common practice in Java, increasing the possibility of this bug being present in even more applications.
Unfortunately, the last update the Commons Collections library got dates back toNovember 2013, when Apache released version 4.0.
Besides providing an exploit that can go with Chris Frohoff’s proof-of-concept payload generator, the good news is that Mr. Breen also provided a fix.
“It will fix it,” says Breen, “but it’s an admittedly ugly solution.”
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.