Back in late January, two security researchers (Gabriel Lawrence and Chris Frohoff) uncovered an RCE (Remote Code Execution) vulnerability that could be exploited via one of the most popular Java libraries around, the Apache Commons Collections.
Because the vulnerability is quite hard to understand, despite the
researchers' best efforts, the issue went unnoticed for almost the entire year.
A recent talk given by Matthias Kaiser on the same topic (video below) has brought the issue back to light and spurned Steve Breen from Foxglove Security to investigate it even further in a
blog post that contains all the details you'll need to successfully exploit it in various scenarios.
Mr. Breen was able to use the RCE vulnerability and exploit applications where the Commons Collections was used, apps like WebLogic, IBM WebSphere, JBoss, Jenkins, and OpenNMS. Of course, other applications that use the Commons Collections library can also be potentially vulnerable to remote attacks, not just the ones tested by Mr. Breen, and the only condition is that the app accepts user-supplied serialized data.
A monkey patch fix is available
The problem relies in the way Java handles object deserialization operations via the Commons Collections library, which despite being a third-party tool and not being included in the Java core, is one of the most used Java libraries. This can easily be proved by a quick search on GitHub for the library's various names and combinations.
