edit-icon download-icon

[Vulnerability notice] Remote code execution vulnerability in Java deserialization process

Last Updated: May 07, 2018

Description

On November 6, 2015, the FoxGlove security research team published an article on its blog about how to exploit the remote code execution vulnerablity during the deserialization process in common Java applications.

The Java applications mentioned in the blog post all use the Apache Commons Collections library, and they all have a serialized object data interaction interface that can be accessed. The blog describes corresponding analysis and validation code for each application to illustrate the universality of the remote command execution vulnerability in Java applications.

Hazard

Once a machine is deployed with the Apache Commons Collections library, hackers can exploit this vulnerability at any time to run any system commands to gain full control of the machine, destroying or stealing the data on the machine.

Affected applications

All applications that use the Apache Commons Collections library are affected by this vulnerability. Currently, the applications that have been confirmed as compromised include:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS
  • JAVA RMI

Fix

Upgrade the Apache Commons Collections library to the latest version.

Thank you! We've received your feedback.