CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.7%
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.
CWE-502**: Deserialization of Untrusted Data -**CVE-2015-6420
In January 2015, at AppSec California 2015, researchers Gabriel Lawrence and Chris Frohoff described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability.
In November 2015, Stephen Breen of Foxglove Security identified the Apache Commons Collections (ACC) Java library as being vulnerable to insecure deserialization of data; specifically, the ACC InvokerTransformer
class may allow arbitrary code execution when used to deserialize data from untrusted sources. According to the researcher, this issue affects several large projects that utilize ACC including WebSphere, JBoss, Jenkins, WebLogic, and OpenNMS. Unify also reports that OpenScape software is affected. In addition, Cisco has released an advisory for their products.
Both versions 3.2.1 and 4.0 of the Apache Commons Collections library have been identified as being vulnerable to this deserialization issue.
The Apache Software Foundation has released a statement regarding this issue, which contains advice for mitigating the issue, as well as further references and links. A bug tracker entry has been filed to track progress toward a full solution.
Other libraries, such as Groovy and Spring, are currently being investigated for similar flaws. Lawrence and Frohoffโs presentation describes how applications and libraries written in other languages, such as Python and Ruby, may also be vulnerable to the same type of issue. It is generally up to software designers to follow best practices for security when handling serialized data, no matter the programming language or library used.
A Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode.
While many applications do not actively use serialization or deserailization, they often rely on libraries that do. If a class uses deserialization on some input stream (either a file or socket), and an attacker can send malicious data down that stream, the attacker can cause the program to construct objects of any class on its classpath (whether it uses those classes or not). And some classes, such as those in the ACC automatically execute code based on attacker-supplied deserialization input.
An application that neither uses deserialization, nor employs any libraries that use deserialization, would not be vulnerable to this problem. Such an application should also lack a plugin architecture, or any mechanism for loading code that might use deserialization.
The CERT/CC is currently unaware of a full solution to this problem, but you may consider the following:
Apply an update
Apache Commons Collections version 3.2.2 and version 4.1 has been released. These new releases mitigate the vulnerability by disabling the insecure functionality.
Developers need to re-architect their applications, and should be suspicious of deserialized data from untrusted sources
Developers will need to make further architectural changes to secure their applications before they can re-enable functionality in ACC version 3.2.2 and later. From Apacheโs statement:
_However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability. _
Developers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the CERT Oracle Coding Standard for Java guidelines for Serialization, especially rules SER12-J and SER13-J.
Use firewall rules or filesystem restrictions
System administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application, such as Jenkins, utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue.
576313
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: November 10, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 18, 2017
Affected
We have not received a statement from the vendor.
Cisco has released a security advisory and list of affected products at the URL below. Cisco has assigned CVE-2015-6420 to this issue.
As of 2017-07-18, CERT/CC is aware of a report that Cisco Unity Express (CUE) 8.6.1 is still vulnerable to this issue and is incorrectly identified as โnot vulnerableโ in the above Cisco advisory. We have reached out to Cisco for clarification.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23576313 Feedback>).
Updated: November 30, 2015
Affected
We have not received a statement from the vendor.
IBM has released a security advisory for WebSphere at the following URL:
Updated: November 30, 2015
Affected
We have not received a statement from the vendor.
Jenkins has released a security advisory at the URL below. CVE-2015-8103 was assigned this issue in Jenkins.
Updated: November 30, 2015
Affected
We have not received a statement from the vendor.
Oracle has released a security advisory at the URL below:
Updated: November 30, 2015
Statement Date: November 24, 2015
Affected
"Unify is affected in two product lines as listed below. For details refer to the information given in the Security Advisory OBSO-1511-01.
We recommend all customers to apply the mitigations described in the advisory and install the corresponding product fix releases as soon as available.
To get notified about Advisory updates, subscribe as listed in <https://www.unify.com/security/advisories>
."
Unify has issued Security Advisory OBSO-1511-01 at the URL listed below.
Mitre had assigned two CVE IDs for Unify products impacted by VU#576313:
CVE-2015-8237, affected products:
Unify OpenScape Fault Management V7 (โcpe:/a:unify:openscape_fault_management:7.%02โ)
Unify OpenScape Fault Management V8 (โcpe:/a:unify:openscape_fault_management:8.%02โ)
CVE-2015-8238, affected products:
Unify OpenScape UC Application V7 (โcpe:/a:unify:openscape_uc_application:7.%02โ)
Unify OpenScape Common Management Platform V7 (โcpe:/a:unify:openscape_common_management_platform:7.%02โ)
Updated: November 30, 2015
Unknown
We have not received a statement from the vendor.
JBOSS has been reported as being affected.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 6.4 | E:POC/RL:W/RC:C |
Environmental | 6.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.
This document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.
CVE IDs: | CVE-2015-6420 |
---|---|
Date Public: | 2015-01-28 Date First Published: |
cwe.mitre.org/data/definitions/502.html
foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
frohoff.github.io/appseccali-marshalling-pickles/
mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%[email protected]%3e
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
www.infoq.com/news/2015/11/commons-exploit
www.openwall.com/lists/oss-security/2015/11/11/3
www.oracle.com/technetwork/java/seccodeguide-139067.html#8
www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179
www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
commons.apache.org/proper/commons-collections/
issues.apache.org/jira/browse/COLLECTIONS-580
networks.unify.com/security/advisories/OBSO-1511-01.pdf
tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407
www.youtube.com/watch?v=VviY3O-euVQ
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.7%