Home > Cyber News > Serious Java Deserialization Vulnerability Uncovered in 70 Libraries
CYBER NEWS

Serious Java Deserialization Vulnerability Uncovered in 70 Libraries

by   |  Last Update:  |  0 Comments  

In the beginning of 2015, the security researchers Gabriel Lawrence and Chris Frohoff revealed a Remote Code Execution vulnerability that could be exploited via the Apache Commons Collections. The latter is just one of the most well-known and widely used Java libraries.

apache-commons-collections-vulnerability

Later in 2015, experts reported an issue that made Java apps vulnerable to security holes. The reason was the way developers handled user-supplied deserialized data via the Apache library.

What Is Serialization in Java?

Serialization is the process of turning an object into a sequence of bytes which can be persisted to a disk or database, or can be sent through streams. The reverse process of creating an object from a sequence of bytes is dubbed deserialization.

The tentatively called vulnerability has raised some awareness (but far from enough) in the Java community. However, since the issue was not exactly a bug in the library, nothing could be done except warning other developers.

70 Libraries Include the Apache Common Collections

The issue is now even bigger in scope since 70 other libraries have the same problem when working with user-supplied deserialized data. Some of the most popular libraries include Apache Hadoop, Apache HBase, OpenJPA, JasperReports, Spring XD, etc.

The problem is that all these libraries include the Apache Common Collections in their code, thus applying functions handling user-supplier deserialized data. It’s important to note that this doesn’t make the libraries vulnerable. Issues appear when such applications don’t sanitize user-supplied data before deserializing it with one of the 70 libraries.

Researchers also note that detecting Java deserialization vulnerabilities is a tricky job. The problem is more of a blind spot that leaves researchers in a bad position since attackers are now beginning to focus on developers and the open source code they like to use.

Here is the list of all affected libraries:
Click on the accordion to view it

Libraries
Name – Version
Apache Directory API All – 1.0.0-M31
Apache Directory API All – 1.0.0-M32
Apache Jena – Fuseki Server Standalone Jar – 2.0.0
Apache Jena – Fuseki Server Standalone Jar – 2.3.0
flink-core – 0.9.0-hadoop1
flink-core – 0.9.0
flink-shaded-include-yarn – 0.9.0
flink-shaded-include-yarn – 0.9.0-milestone-1
jcaptcha-all – 1.0-RC6
jcaptcha-all – 1.0-RC5
Mule Core – 2.1.0
Mule Core – 2.1.2
JMS Transport – 3.0.0-M2-20091124
JMS Transport – 3.3-M1
Spring XD DIRT – 1.0.3.RELEASE
Spring XD DIRT – 1.0.4.RELEASE
Webx All-in-one Bundle – 3.2.3
Webx All-in-one Bundle – 3.0.14
hadoop-mapreduce-client-core – 2.6.2
hadoop-mapreduce-client-core – 2.6.0
Commons BeanUtils Core – 1.8.3
Commons BeanUtils Core – 1.8.2
Apache Hadoop Common – 2.6.2
Apache Hadoop Common – 2.5.2
Commons Collections – 20031027
Commons Collections – 3.2.1
OpenJPA Utilities Library – 2.3.0
OpenJPA Utilities Library – 2.2.2
OpenJPA Kernel – 2.3.0
OpenJPA Kernel – 2.2.2
OpenJPA Persistence – 1.2.3
JasperReports – 6.2.0
JasperReports – 6.0.2
Isis MetaModel – 1.0.0
Isis MetaModel – 1.1.0
AutoValue – 1
AutoValue – 1.0-rc4
Core – 1.6.2
Core – 1.6.1
velocity:velocity-dep – 1.5-beta2
Apache Commons Collections – 4
HBase – Common – 0.98.9-hadoop1
HBase – Common – 0.98.7-hadoop1
Apache Directory Shared LDAP – 0.9.11
org.springframework:spring – 2.5.6.SEC03
org.springframework:spring – 2.5.6.SEC02
Apache MyFaces JSF-2.2 Core Impl – 1.2.5
Apache MyFaces JSF-2.2 Core Impl – 2.2.7
jung-visualization – 2.0.1
jung-visualization – 2
HBase – Server 0.98.10.1-hadoop2
HBase – Server 0.98.7-hadoop2
org.apache.pig pig – 0.15.0
com.google.gwt gwt-dev – 2.7.0
larvalabs collections – 4.01
org.opensymphony.quartz quartz – 1.6.1
Apache Commons BeanUtils – 1.9.2
Apache Commons BeanUtils – 1.9.1
Apache Crunch Core – 0.13.0
JasperReports – 3.5.2
JasperReports – 3.5.1
ApacheDS MVCC BTree implementation – 1.0.0-M7
ApacheDS All – 2.0.0-M18
ApacheDS All – 2.0.0-M17
ESAPI – 2.1.0
ESAPI – 2.0.1
OpenJPA Aggregate Jar – 2.3.0
OpenJPA Aggregate Jar – 2.2.2
quartz – 1.6.3
quartz – 1.6.0

References

SoftPedia

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. .java Files Virus (Dharma Ransomware) – Remove and Restore Files This article aims to help you remove the newly discovered...
  2. Remove Java (Dcrtr variant) Ransomware – Restore .java Files This article will aid you to remove Java (Dcrtr variant)...
  3. Java:Malware-gen [Trj] Trojan – How to Detect and Remove CrossRAT This article has been created in order to explain what...
  4. Install Java Update Virus Pop-up – How to Remove It Install Java Update “Virus” Pop-up Java Update deceptive pop-ups present...
  5. Java Trojan Mac Removal What Is Java Trojan Java Trojan is a series of...
  6. PoC Code for CVE-2010-1622 Puts Spring Core Framework at Risk Another day, another zero-day. This time, security researchers discovered a...
  7. CVE-2021-41773: Apache Vulnerability Exploited in the Wild Apache just patched two security vulnerabilities (CVE-2021-41773 and CVE-2021-33193) in...
  8. CVE-2022-25845: Fastjson RCE Vulnerability that Affects Java Apps CVE-2022-25845 is a high-severity security flaw (rating 8.1 out of...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree