CYBER NEWS

Serious Java Deserialization Vulnerability Uncovered in 70 Libraries

In the beginning of 2015, the security researchers Gabriel Lawrence and Chris Frohoff revealed a Remote Code Execution vulnerability that could be exploited via the Apache Commons Collections. The latter is just one of the most well-known and widely used Java libraries.

apache-commons-collections-vulnerability

Later in 2015, experts reported an issue that made Java apps vulnerable to security holes. The reason was the way developers handled user-supplied deserialized data via the Apache library.

What Is Serialization in Java?

Serialization is the process of turning an object into a sequence of bytes which can be persisted to a disk or database, or can be sent through streams. The reverse process of creating an object from a sequence of bytes is dubbed deserialization.

The tentatively called vulnerability has raised some awareness (but far from enough) in the Java community. However, since the issue was not exactly a bug in the library, nothing could be done except warning other developers.

70 Libraries Include the Apache Common Collections

The issue is now even bigger in scope since 70 other libraries have the same problem when working with user-supplied deserialized data. Some of the most popular libraries include Apache Hadoop, Apache HBase, OpenJPA, JasperReports, Spring XD, etc.

The problem is that all these libraries include the Apache Common Collections in their code, thus applying functions handling user-supplier deserialized data. It’s important to note that this doesn’t make the libraries vulnerable. Issues appear when such applications don’t sanitize user-supplied data before deserializing it with one of the 70 libraries.

Researchers also note that detecting Java deserialization vulnerabilities is a tricky job. The problem is more of a blind spot that leaves researchers in a bad position since attackers are now beginning to focus on developers and the open source code they like to use.

Here is the list of all affected libraries:
Click on the accordion to view it

Libraries
Name – Version
Apache Directory API All – 1.0.0-M31
Apache Directory API All – 1.0.0-M32
Apache Jena – Fuseki Server Standalone Jar – 2.0.0
Apache Jena – Fuseki Server Standalone Jar – 2.3.0
flink-core – 0.9.0-hadoop1
flink-core – 0.9.0
flink-shaded-include-yarn – 0.9.0
flink-shaded-include-yarn – 0.9.0-milestone-1
jcaptcha-all – 1.0-RC6
jcaptcha-all – 1.0-RC5
Mule Core – 2.1.0
Mule Core – 2.1.2
JMS Transport – 3.0.0-M2-20091124
JMS Transport – 3.3-M1
Spring XD DIRT – 1.0.3.RELEASE
Spring XD DIRT – 1.0.4.RELEASE
Webx All-in-one Bundle – 3.2.3
Webx All-in-one Bundle – 3.0.14
hadoop-mapreduce-client-core – 2.6.2
hadoop-mapreduce-client-core – 2.6.0
Commons BeanUtils Core – 1.8.3
Commons BeanUtils Core – 1.8.2
Apache Hadoop Common – 2.6.2
Apache Hadoop Common – 2.5.2
Commons Collections – 20031027
Commons Collections – 3.2.1
OpenJPA Utilities Library – 2.3.0
OpenJPA Utilities Library – 2.2.2
OpenJPA Kernel – 2.3.0
OpenJPA Kernel – 2.2.2
OpenJPA Persistence – 1.2.3
JasperReports – 6.2.0
JasperReports – 6.0.2
Isis MetaModel – 1.0.0
Isis MetaModel – 1.1.0
AutoValue – 1
AutoValue – 1.0-rc4
Core – 1.6.2
Core – 1.6.1
velocity:velocity-dep – 1.5-beta2
Apache Commons Collections – 4
HBase – Common – 0.98.9-hadoop1
HBase – Common – 0.98.7-hadoop1
Apache Directory Shared LDAP – 0.9.11
org.springframework:spring – 2.5.6.SEC03
org.springframework:spring – 2.5.6.SEC02
Apache MyFaces JSF-2.2 Core Impl – 1.2.5
Apache MyFaces JSF-2.2 Core Impl – 2.2.7
jung-visualization – 2.0.1
jung-visualization – 2
HBase – Server 0.98.10.1-hadoop2
HBase – Server 0.98.7-hadoop2
org.apache.pig pig – 0.15.0
com.google.gwt gwt-dev – 2.7.0
larvalabs collections – 4.01
org.opensymphony.quartz quartz – 1.6.1
Apache Commons BeanUtils – 1.9.2
Apache Commons BeanUtils – 1.9.1
Apache Crunch Core – 0.13.0
JasperReports – 3.5.2
JasperReports – 3.5.1
ApacheDS MVCC BTree implementation – 1.0.0-M7
ApacheDS All – 2.0.0-M18
ApacheDS All – 2.0.0-M17
ESAPI – 2.1.0
ESAPI – 2.0.1
OpenJPA Aggregate Jar – 2.3.0
OpenJPA Aggregate Jar – 2.2.2
quartz – 1.6.3
quartz – 1.6.0

References

SoftPedia

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...