In the beginning of 2015, the security researchers Gabriel Lawrence and Chris Frohoff revealed a Remote Code Execution vulnerability that could be exploited via the Apache Commons Collections. The latter is just one of the most well-known and widely used Java libraries.
Later in 2015, experts reported an issue that made Java apps vulnerable to security holes. The reason was the way developers handled user-supplied deserialized data via the Apache library.
What Is Serialization in Java?
Serialization is the process of turning an object into a sequence of bytes which can be persisted to a disk or database, or can be sent through streams. The reverse process of creating an object from a sequence of bytes is dubbed deserialization.
The tentatively called vulnerability has raised some awareness (but far from enough) in the Java community. However, since the issue was not exactly a bug in the library, nothing could be done except warning other developers.
70 Libraries Include the Apache Common Collections
The issue is now even bigger in scope since 70 other libraries have the same problem when working with user-supplied deserialized data. Some of the most popular libraries include Apache Hadoop, Apache HBase, OpenJPA, JasperReports, Spring XD, etc.
The problem is that all these libraries include the Apache Common Collections in their code, thus applying functions handling user-supplier deserialized data. It’s important to note that this doesn’t make the libraries vulnerable. Issues appear when such applications don’t sanitize user-supplied data before deserializing it with one of the 70 libraries.
Researchers also note that detecting Java deserialization vulnerabilities is a tricky job. The problem is more of a blind spot that leaves researchers in a bad position since attackers are now beginning to focus on developers and the open source code they like to use.
Here is the list of all affected libraries:
Click on the accordion to view it