oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw

From: Mark Felder <feld () feld me>
Date: Thu, 12 Nov 2015 15:52:47 -0600


On Thu, Nov 12, 2015, at 03:04, Gsunde Orangen wrote:

CVE-Request:
I appreciate this general discussion around deserialization issues and
hope this will make a jump-start for sustainable improvements on both
Java and application level in the long run.
Aside of that however, I'd like to go back to Jason's original request
to Mitre to get a CVE ID assigned to this particular issue with the
Apache Commons Collections functors package (specifically in the
InvokerTransformer class).


Is there any proof that Apache Commons Collections functors package
isn't doing what it's intended to be doing? Everything I'm reading
indicates that the problem is with applications believing they can
*trust* the input, not that there's a bug in the functors package, ie,
bad design.


So people (esp. Java applications developers) have a unique reference
when analysing and fixing this particluar one (by e.g. removing the
class, make it non-serializable or wait for a new Commons Collections
release that includes that fix - whatever is most appropriate to their
application's context).



The currently proposed "fix"[1] is to disable functionality that is
being used. This will break applications that need them.

[1] https://issues.apache.org/jira/browse/COLLECTIONS-580



-- 
  Mark Felder
  feld () feld me
Previous By Date Next
Previous By Thread Next

Current thread: