All Products
Document Center

[Vulnerability notice] Remote code execution vulnerability in Java deserialization process

Last Updated: May 07, 2018


On November 6, 2015, the FoxGlove security research team published an article on its blog about how to exploit the remote code execution vulnerablity during the deserialization process in common Java applications.

The Java applications mentioned in the blog post all use the Apache Commons Collections library, and they all have a serialized object data interaction interface that can be accessed. The blog describes corresponding analysis and validation code for each application to illustrate the universality of the remote command execution vulnerability in Java applications.


Once a machine is deployed with the Apache Commons Collections library, hackers can exploit this vulnerability at any time to run any system commands to gain full control of the machine, destroying or stealing the data on the machine.

Affected applications

All applications that use the Apache Commons Collections library are affected by this vulnerability. Currently, the applications that have been confirmed as compromised include:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS


Upgrade the Apache Commons Collections library to the latest version.