Deserialization vulnerabilities in Java applications can end up leveraged by attackers for remote code execution.
Building on previous research from Gabriel Lawrence and Chris Frohoff of Qualcomm, FoxGlove Security researchers demonstrated how easy it would be for an attacker to exploit Java-based application servers and other products that use Apache Commons Collections, including Oracle WebLogic, IBM WebSphere, Red Hat’s JBoss, Jenkins, and OpenNMS.
FoxGlove researchers said the library sees use in quite a few projects — a search on GitHub shows more than 1,300 results, researchers said in a blog post.
While the exploits described by FoxGlove rely on Apache Commons Collection and the use of the InvokerTransformer class, Frohoff and others said the attacks are possible not because of an actual vulnerability in the library, but due to poor coding practices.
Applications using Apache Commons Collections are vulnerable to remote code execution due to Java deserialization flaws introduced by developers, the researchers said.
Serialization is a process in which an object ends up converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data ends up extracted is deserialization and it can lead to major security issues if not handled properly. IBM just discovered serialization vulnerabilities in the Android operating system.
The problem in this case appears to be developers of the affected applications failed to ensure untrusted serialized data does not end up accepted for deserialization.