ello, I came across this article:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ It describes attacks against common Java applications with pre-authentication requests using malicious Java Object serialisation. It builds upon the work of Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff) (presented on January 28th, 2015, “Marshalling Pickles” given at AppSecCali) http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles The ysoserial tool has some sample payloads, two use commons-collection oac.collections.functors.InvokerTransformer. * https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads The class itself is rather handy to break out of the readObject() chains to execute arbitrary methods. I do'nt recall any discussion here about this class. Is this currently handled/reported? Of course the more general problem is using serialisation with untusted peers, and if commons-collection fixes this, there might still be other vectors, but still I think it would be good to do something against that "bad press"? Gruss Bernd * Another payload uses org.codehaus.groovy.runtime.MethodClosure from Groovy or some sring AutoWire Stuff. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
