Approximately nine months ago, security researchers Gabriel Lawrence and Chris Frohoff brought to light a remote code execution vulnerability in Apache Commons Collections, which is one of the most used Java libraries. It went by the whole year almost unnoticed because of its complicated nature and probably because it wasn't given a fancy name or mentioned in any press release.
The issue became known again when Matthias Kaiser held a session about it recently. He also had Foxglove Security's Steve Breen scrutinize the vulnerability after.
Breen then used the Commons Collections RCE vulnerability on various applications, including WebLogic, WebSphere, JBoss, Jenkins and OpenNMS. Aside from the applications that Breen tested the exploit on, other ones that use the Commons Collections library are vulnerable to it as well.
"Vulnerabilities arise when developers write code that accepts serialized data from users and attempt to unserialize it for use in the program. Depending on the language, this can lead to all sorts of consequences," Breen writes on the Foxglove Security website, where he indexes the details of the exploit.
Basically, one of the possible events to occur is that data can be manipulated, which Lawrence and Frohoff outlined the vulnerability and posted on SlideShare, calling it Marshalling Pickles.
"Any big binary blob needs to be investigated as potential object serialization," the pair writes on the post.
On an interesting note, the last update for the Commons Collections library was two years ago on Nov. 24, 2013.
Breen fortunately provides a guide on "how to monkey patch your servers" on his blog post.
"It will fix it, but it's an admittedly ugly solution," he notes regarding the patch.
It's a good thing that this RCE vulnerability was unearthed, and thanks to Breen, more people will be aware of its potential danger and how to "monkey patch" the issue.
Photo: Dmitry Baranovskiy | Flickr