[jira] [Created] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability

Ted Yu (JIRA) Wed, 11 Nov 2015 19:02:31 -0800

Ted Yu created FLINK-3005:
-----------------------------

             Summary: Commons-collections object deserialization remote command 
execution vulnerability
                 Key: FLINK-3005
                 URL: https://issues.apache.org/jira/browse/FLINK-3005
             Project: Flink
          Issue Type: Bug
            Reporter: Ted Yu



http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

TL;DR: If you have commons-collections on your classpath and accept and process 
Java object serialization data, then you may have an exploitable remote command 
execution vulnerability.

Brief search in code base for ObjectInputStream reveals several places where 
the vulnerability exists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability

Reply via email to